CVE-2025-62922

The Export Categories plugin for WordPress (versions up to and including 1.0) contains a missing authorization vulnerability. The plugin fails to properly enforce no proper access controls on certain functions, meaning that functionality intended for administrators or other privileged roles can be invoked without authentication or authorization checks [1].

This broken access control issue can be exploited by any unauthenticated visitor to the site. No special prerequisites beyond network access to the WordPress instance are required. The attack surface is broad because the plugin is widely used and the vulnerability is trivial to trigger [1].

An attacker exploiting this flaw can access functionality that should be constrained by ACLs, potentially leading to unauthorized data export or other actions that the plugin's restricted functions perform. The exact impact depends on what the unprotected functions do, but the vulnerability is classified as medium severity (CVSS 5.3) [1].

As of the advisory, users are urged to update the plugin immediately. If an update is not available, the recommendation is to disable the plugin or seek assistance from a hosting provider or developer. The vulnerability is noted as being used in mass-exploit campaigns [1].