CVE-2025-64234

Vulnerability

Analysis

The Evergreen Content Poster plugin for WordPress, versions up to and including 1.4.5, contains a missing authorization vulnerability. This flaw arises from incorrectly configured access control security levels, specifically a broken access control issue involving a missing authorization, authentication, or nonce token check in a function [1].

Exploitation

Prerequisites

Exploitation does not require authentication. An unprivileged user can execute higher-privileged actions by sending crafted requests to the vulnerable endpoint. The plugin fails to verify proper capabilities before allowing certain operations, making it possible for attackers to access restricted functionality [1].

Impact

Successful exploitation can lead to unauthorized modification of content poster settings or actions that should be limited to higher-privileged users. While the vulnerability is rated as low severity (CVSS 4.3), it has been noted in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Mitigation

The vendor has released version 1.4.6 which resolves the issue. Users are strongly advised to update immediately. Patchstack auto-update can be enabled for vulnerable plugins. As an immediate workaround, those unable to update should consult their hosting provider or web developer [1].