CVE-2025-62150

Summary

The History Timeline plugin by themesawesome for WordPress contains a missing authorization vulnerability. The plugin fails to enforce correct access control checks on certain functions, meaning users without the required permissions can trigger administrative actions. This type of flaw is categorized as a broken access control issue, where missing nonce tokens or authorization checks allow privilege escalation [1].

Exploitation

To exploit this vulnerability, an attacker does not need any special authentication — a standard WordPress subscriber or even an unauthenticated visitor could potentially trigger the vulnerable endpoint. The attack surface is the plugin's admin-facing functionality that lacks proper capability verification. As noted in the advisory, such vulnerabilities are commonly used in mass-exploit campaigns that target thousands of websites simultaneously, regardless of site size or popularity [1].

Impact

Successful exploitation lets an attacker perform actions intended for higher-privilege users, such as modifying plugin settings, inserting malicious content, or gaining further control over the site. Since the plugin is used for displaying timelines, the attacker could corrupt site content or use the plugin as a foothold for broader compromise. The CVSS score for this issue is 4.3 (Medium), reflecting moderate impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor has released patched versions beyond 1.0.6. Users are strongly advised to update the plugin immediately. If immediate updating is not possible, site administrators should consider temporarily disabling the plugin or implementing a web application firewall rule to block requests to the affected endpoints until a full update can be applied [1].