CVE-2025-62944

The MSTW CSV EXPORTER plugin for WordPress, developed by Mark O'Donnell, is vulnerable to a broken access control issue in versions up to and including 1.4. The vulnerability stems from missing authorization checks, meaning that the plugin fails to properly verify if a user has the necessary permissions before executing certain functions. This is classified as a Missing Authorization vulnerability (CWE-862) and can be exploited to perform actions that should require higher privileges.

Attackers can exploit this vulnerability without needing to authenticate themselves. The attack surface is remote, and no special network position is required beyond typical internet access. The broken access control allows an unprivileged actor to potentially access or modify CSV export functionality, bypassing security levels that should restrict such operations. The vulnerability is listed in the Patchstack database and is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

The primary impact is the ability to exploit incorrectly configured access control security levels, potentially leading to unauthorized data export or manipulation. The CVSS v3 score is 5.3 (Medium), reflecting the moderate severity but wide reach of the issue. The advisory recommends immediate updating of the plugin to a patched version. If updating is not possible, users should contact their hosting provider or web developer for assistance [1].