CVE-2025-62888

Vulnerability

Overview CVE-2025-62888 is a missing authorization vulnerability in the WP Attachments plugin for WordPress, affecting versions from n/a through 5.2. The plugin fails to properly enforce access control checks, allowing unauthenticated users to execute functions that should require higher privileges. This is a classic broken access control issue, where the software does not verify that the current user has the necessary permissions before performing sensitive actions [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication or prior access to the target site. The missing authorization check means that any unauthenticated visitor can trigger privileged operations, such as viewing, modifying, or deleting attachments. The attack surface is broad because the plugin is widely used, and the vulnerability can be automated for mass exploitation campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to bypass access controls and perform actions that should be restricted to authenticated users with specific roles. This could lead to unauthorized access to sensitive attachment data, modification of content, or other administrative-level operations depending on the affected function. The CVSS v3 score of 5.4 (Medium) reflects the potential for significant impact, though the vendor notes the severity is low and exploitation is unlikely [1].

Mitigation

The vulnerability has been patched in version 5.2.1 of the WP Attachments plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can also enable auto-updates for vulnerable plugins if using Patchstack [1].