CVE-2025-62915

Vulnerability

Overview CVE-2025-62915 describes a Missing Authorization vulnerability in the WordPress plugin SMS Contact Form 7 Notifications by ClickSend (version 1.4.0 and earlier). The plugin fails to properly check access control security levels, meaning that unauthenticated users can trigger functions that should require higher privileges. This flaw stems from incorrectly configured access control, a classic broken access control issue [1].

Exploitation

Attackers can exploit this vulnerability without needing any authentication. The missing authorization allows an unprivileged attacker to call privileged functions within the plugin. This type of vulnerability is often targeted in mass-exploit campaigns, where attackers scan for vulnerable instances to attack thousands of websites regardless of their size or popularity [1].

Impact

By successfully exploiting this vulnerability, an attacker can perform actions that should be restricted to higher-privileged users, potentially leading to unauthorized modification of plugin settings, reading sensitive data, or other actions depending on the affected function. The CVSS score of 4.3 (Medium) reflects the moderate but real risk of an exposed, unauthenticated attack vector [1].

Mitigation

To remediate, users must update the plugin to a version newer than 1.4.0 as soon as possible. If an immediate update is not feasible, contacting the hosting provider or a web developer for assistance is recommended. As the vulnerability is actively used in campaigns, applying the patch is critical [1].