CVE-2025-63002

Vulnerability

Overview

The Sermon Manager plugin for WordPress (versions up to and including 2.30.0) contains a missing authorization vulnerability. This flaw stems from an incorrectly configured access control security level, which fails to properly verify user permissions before allowing certain actions. The issue is classified as a Broken Access Control vulnerability, meaning the plugin does not enforce proper authorization checks on functions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication or special privileges. Because the access control is missing or misconfigured, unauthenticated users may be able to trigger actions that should be restricted to administrators or other privileged roles. This type of vulnerability is commonly targeted in mass-exploit campaigns, where attackers scan for vulnerable installations and attempt to compromise thousands of sites at once [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the WordPress site, such as modifying or deleting sermon data, altering plugin settings, or potentially gaining further access depending on the missing authorization context. The CVSS v3 base score of 5.3 (Medium) reflects the potential for unauthorized access to functionality without authentication [1].

Mitigation

The vendor has not released a patched version beyond 2.30.0 at the time of publication. Users are strongly advised to update the plugin immediately if a fix becomes available. If an update is not possible, site owners should contact their hosting provider or a web developer to implement alternative access controls or consider disabling the plugin until a patch is applied [1].