CVE-2025-62946

Vulnerability

Overview

The Everest Backup WordPress plugin versions 2. Versions 2.3.8 and below contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions. [1]

Exploitation

This broken access control issue can be exploited by unauthenticated attackers. Because the plugin lacks proper authorization checks, an attacker can trigger higher-privileged actions without needing any authentication. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites. [1]

Impact

An attacker exploiting this vulnerability can perform actions that should be restricted to authenticated users with higher privileges. The exact impact depends on the specific functions exposed, but it generally allows unauthorized modification or access to site data. The CVSS score of 5.3 (Medium) reflects the potential for unauthorized access. [1]

Mitigation

The vendor has released version 2.3.9 which resolves the vulnerability. Users are strongly advised to update immediately. If updating is not possible, consulting a hosting provider or web developer or hosting provider for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins. [1]