CVE-2025-62931

The MSN Partner Hub plugin for WordPress, developed by microsoftstart, contains a missing authorization vulnerability. This broken access control issue arises from incorrectly configured access control security levels, allowing unauthenticated users to perform higher-privileged actions [1]. The flaw affects all versions from n/a through 2.9.

Attackers can exploit this vulnerability over the network without authentication. The lack of proper authorization checks means any visitor can trigger privileged functions, making it a low-complexity attack. Given the plugin's wide use, this vulnerability is frequently targeted in mass-exploit campaigns against thousands of websites [1].

Successful exploitation grants attackers the ability to execute actions meant for administrators, potentially leading to unauthorized data access, site defacement, or further compromise. The CVSS score of 4.3 reflects the medium severity of this privilege escalation risk [1].

Users are strongly advised to update the plugin immediately. If an update is not available or possible, consulting a hosting provider or web developer for alternative mitigation is recommended [1].