CVE-2025-62869

Vulnerability

Overview

The Gravitec.net – Web Push Notifications plugin for WordPress contains a missing authorization vulnerability in versions through 2.9.17. This flaw stems from an absence of proper access control checks, such as missing authentication or nonce token verification, in certain functions of the plugin. As a result, the plugin exposes functionality that should require higher privileges to unauthenticated or low-privileged users [1].

Exploitation

An attacker can exploit this vulnerability by directly calling the vulnerable functions without proper authorization. The attack requires no special privileges beyond those of a regular user or, in some cases, no authentication at all. Although the vulnerability is classified as medium severity (CVSS 4.3) and considered low risk by the vendor, it has been noted that similar broken access control issues are frequently used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions normally reserved for higher-privileged roles, such as administrators. This could lead to unauthorized configuration changes or data exposure, depending on the specific functions affected. The precise impact depends on which plugin capabilities lack proper authorization.

Mitigation

The vulnerability is remediated in version 2.9.18 of the plugin. Users are strongly advised to update to this version or later. For sites using Patchstack, enabling auto-updates for vulnerable plugins can provide immediate protection [1].