CVE-2025-62929

Vulnerability

Overview

[1] CVE-2025-62929 describes a missing authorization vulnerability in the PickPlugins Testimonial Slider plugin for WordPress, affecting versions 2.0.15 and earlier. The root cause is a broken access control issue where the plugin fails to properly enforce authorization checks, allowing exploitation of incorrectly configured access control security levels.

Attack

Vector

This vulnerability is exploited without requiring authentication, as the missing authorization means an unprivileged user can execute actions intended for higher-privileged roles. [1] The attack vector is network-based, and the vulnerability is part of a broader trend of mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity.

Impact

Successful exploitation allows an attacker to bypass access controls, potentially leading to unauthorized modification or disclosure of data, or other actions normally restricted to higher-level users. [1] The CVSS v3 score is 6.5 (Medium), reflecting the moderate severity but high likelihood of automated exploitation.

Mitigation

The vendor has not released a patch; the affected version remains 2.0.15. Immediate action is to update the plugin if a patched version becomes available, or to contact the hosting provider or web developer for assistance. [1]