Medium severity5.4NVD Advisory· Published Dec 9, 2025· Updated Apr 27, 2026

CVE-2025-62999

Description

Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Litho Addons: from n/a through <= 3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing Authorization in Litho Addons plugin allows unauthenticated attackers to exploit access control issues, potentially leading to unauthorized actions on WordPress sites.

Vulnerability

Overview

The Litho Addons WordPress plugin (versions up to and including 3.5) contains a missing authorization vulnerability. The root cause is incorrectly configured access control security levels, which fail to properly enforce authentication or authorization checks for certain functions [1].

Exploitation

Details

This vulnerability is exploitable without requiring authentication. Attackers can send crafted requests to arbitrary endpoints that lack proper permission checks. Such vulnerabilities are frequently leveraged in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows unprivileged users to execute actions that should require higher privileges, effectively granting unauthorized access to sensitive functionality. This can lead to data manipulation, privilege escalation, or other malicious activities depending on the affected component.

Mitigation

The vendor has not released a patch for this specific version, but immediate action is recommended: update the Litho Addons plugin to the latest available version. If an update is not possible, contact your hosting provider or web developer for assistance. The vulnerability is listed in the Patchstack database and is actively used in attacks [1].

References

Broken Access Control in WordPress Litho Addons Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Litho Addonsinferred2 versions
<=3.5+ 1 more
- (no CPE)range: <=3.5
- (no CPE)range: <=3.5
Package: https://wordpress.org/plugins/litho-addons

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000