CVE-2025-62938

Vulnerability

Overview

The Reoon Email Verifier plugin for WordPress versions up to and including 2.0.1 contains a missing authorization vulnerability [1]. This issue stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication, as the broken access control allows unprivileged users to perform actions that should require higher privileges [1]. The attack surface is broad because the plugin is widely used, and this type of vulnerability is frequently targeted in mass-exploit campaigns against thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could enable an attacker to access or modify sensitive data, or perform unauthorized administrative actions within the WordPress installation [1]. The CVSS v3 score of 4.3 (Medium) reflects the potential for partial compromise, though the vendor notes the severity is low and exploitation is unlikely [1].

Mitigation

The vulnerability is patched in version 2.1.1 of the plugin [1]. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].