CVE-2025-62965

The Admin Management Xtended WordPress plugin, versions 2.5.1 and earlier, contains a missing authorization vulnerability. The root cause is an incorrectly configured access control security level, which fails to properly verify user privileges before granting access to certain administrative functions [1].

This vulnerability can be exploited by any unauthenticated or low-privileged user who can reach the affected plugin endpoints. No special authentication or network position is required beyond being able to send requests to the WordPress site. The attack surface is broad, as the plugin is used on many sites and the flaw can be triggered remotely [1].

An attacker exploiting this missing authorization can perform actions that should be restricted to higher-privileged users, such as administrators. This could lead to unauthorized configuration changes, data exposure, or other administrative-level operations, depending on the specific functions exposed by the plugin [1].

The vendor has released version 2.5.2 which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].