CVE-2025-62993

Root

Cause

The vulnerability is a missing authorization (broken access control) issue in the WordPress plugin Notification for Telegram versions from n/a through 3.5.1. The plugin fails to properly enforce access control security levels, allowing exploitation by unprivileged users. This is a classic case of missing capability or nonce token checks in plugin functions [1].

Exploitation

Attackers can exploit this vulnerability without requiring higher-level privileges, as the flawed access control permits lower-privileged users (e.g., subscribers) to execute actions intended for administrators or editors. No specific authentication bypass is needed beyond the user's existing session — the bug lies in the absence of authorization checks, not in authentication [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions within the WordPress installation, potentially compromising the site's security. The vulnerability has a CVSS v3 score of 4.3 (Medium), with a low severity impact but notes that similar flaws are frequently used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vulnerability has been patched in version 3.5.2 of the plugin. Users are strongly advised to update to the latest version immediately. If unable to update, contacting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins as an additional precaution [1].