CVE-2025-62980

Vulnerability

Overview

CVE-2025-62980 describes a missing authorization vulnerability in the MDZ Persian Admin Fonts plugin for WordPress. The plugin fails to properly validate access control security levels, allowing an attacker to exploit incorrectly configured access controls. This issue affects all versions from n/a through 4.1.03 [1].

Exploitation

The vulnerability is a broken access control issue, meaning that the plugin does not check for proper authorization, authentication, or nonce tokens in certain functions. This could allow an unprivileged user to perform actions that should require higher privileges. The attack can be carried out remotely without authentication, making it a low-complexity vector that could be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

If exploited, an attacker could gain unauthorized access to functions or data that are normally restricted to higher-privileged users. This could lead to partial compromise of the WordPress site's security, though the severity is rated as medium (CVSS 5.4) and the chances of exploitation are considered low according to the vendor [1].

Mitigation

Users are advised to update the plugin to version 4.1.05 or later, which resolves the vulnerability. For those using Patchstack, auto-updates can be enabled for vulnerable plugins. If immediate updating is not possible, users should contact their hosting provider or web developer for assistance [1].