CVE-2025-63069

Vulnerability

Overview

The Ivory Search plugin for WordPress (add-search-to-menu) versions up to and including 5.5.12 contain a missing authorization vulnerability [1]. This broken access control issue stems from incorrectly configured access control security levels, meaning that certain functions or endpoints lack proper authorization checks [1].

Exploitation

This vulnerability can be exploited without authentication, as the missing authorization allows unprivileged users to execute actions that should require higher privileges [1]. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploited against thousands of websites regardless of their traffic size or popularity [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions within the WordPress installation, potentially leading to privilege escalation or other security breaches [1]. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity [1].

Mitigation

The vendor has released version 5.5.13 which resolves the vulnerability [1]. Users are strongly advised to update immediately. If updating is not possible, contacting your hosting provider or web developer for assistance [1]. Patchstack users can enable auto-update for vulnerable plugins [1].