CVE-2025-63038

Vulnerability

Overview

The WP Custom Admin Interface plugin for WordPress, versions up to and including 7.40, contains a missing authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, allowing exploitation of broken access control mechanisms [1]. The issue is classified as a broken access control vulnerability, meaning the plugin fails to properly verify user permissions before granting access to certain functions or data [1].

Exploitation

Conditions

An attacker can exploit this vulnerability without requiring authentication or elevated privileges, as the missing authorization check allows unprivileged users to perform actions intended for higher-privileged roles [1]. The attack surface is broad, as the plugin is widely used and the vulnerability can be targeted in mass-exploit campaigns against thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to bypass access controls and execute actions that should be restricted to administrators or other privileged users [1]. This could lead to unauthorized modification of admin interface settings, potentially affecting the security and functionality of the WordPress site [1]. The severity is rated as medium (CVSS 4.3), with a low likelihood of exploitation in typical scenarios [1].

Mitigation

The vulnerability

The vulnerability has been addressed in version 7.41 of the plugin [1]. Users are strongly advised to update immediately to this patched version [1]. For those unable to update, unable to update, contacting a hosting provider or web developer for assistance is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins to streamline the patching process [1].