CVE-2025-63022

Vulnerability

Overview The Simple Like Page plugin for WordPress (simple-facebook-plugin) versions up to and including 1.5.3 contain a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify user permissions or nonce tokens before executing certain functions, allowing unprivileged users to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without authentication by sending crafted requests to the affected plugin endpoints. The missing authorization check means no special privileges are needed to trigger the vulnerable functionality, making it accessible to any visitor of a WordPress site running the vulnerable plugin [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the plugin's context, potentially leading to data exposure or manipulation. The vulnerability is rated as Medium severity (CVSS 5.3) and is noted as being used in mass-exploit campaigns targeting thousands of websites regardless of size [1].

Mitigation

The vulnerability has been patched in version 2.0.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].