CVE-2025-63067

Vulnerability

Overview

The Porto Theme - Functionality plugin for WordPress (versions through 3.7.3) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks in certain functions, allowing exploitation of incorrectly configured security levels. This is classified as a broken access control issue [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or elevated privileges. The missing authorization check means that any unauthenticated user can trigger privileged actions that should be restricted to higher-privileged roles. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher-privileged actions within the plugin's functionality. While the severity is rated as medium (CVSS 4.3), the impact is considered low severity by the vendor, and exploitation is deemed unlikely [1].

Mitigation Mitigation

The vulnerability has been patched in version 3.7.3 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].