CVE-2025-62909

Vulnerability

Overview The Smart WeTransfer WordPress plugin, versions 1.3 and earlier, contains a missing authorization vulnerability. The root cause is a failure to properly enforce access control checks, specifically missing authorization, authentication, or nonce token validation in certain functions. This allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

This vulnerability can be exploited by an attacker who does not have any special privileges. The attack vector is network-based, requiring no user interaction. The low complexity of exploitation makes it suitable for mass exploitation campaigns, where attackers target thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions, potentially leading to data exposure or modification. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity. The vulnerability is categorized as a broken access control issue [1].

Mitigation

The vendor has not released a patch for versions beyond 1.3, and users are advised to update the plugin immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. This vulnerability is known exploitation activity has been observed in the wild [1].