CVE-2025-62867

The Ergonet Ergonet Cache plugin for WordPress (ergonet-varnish-cache) contains a missing authorization vulnerability in versions up to and including 1.0.13. The issue stems from a broken access control mechanism, where the plugin fails to properly verify user permissions or nonce tokens before executing certain higher-privileged actions [1]. This allows unprivileged users to exploit incorrectly configured access control security levels.

Exploitation

An attacker can exploit this vulnerability without requiring authentication, as the missing authorization check does not enforce proper access controls. The attack surface is the WordPress admin interface, and no special network position is needed beyond standard web access. The vulnerability is considered low severity but is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Impact

Successful exploitation enables an unauthenticated attacker to perform actions that should be restricted to higher-privileged users, such as modifying cache settings or other plugin configurations. This could lead to partial loss of integrity or availability, though the impact is limited by the plugin's scope.

Mitigation

The vendor has released version 1.0.14 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].