CVE-2025-64238

Vulnerability

Overview

The WPS Bidouille WordPress plugin versions up to and including 1.33.1 contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing exploitation of broken access control mechanisms [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or elevated privileges. The missing authorization check means that unprivileged users can access functions or data that should be restricted to higher-privileged roles. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables an attacker to perform actions or access resources that should be protected, potentially leading to unauthorized data exposure or privilege escalation. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with low exploitation likelihood [1].

Mitigation

The vulnerability has been addressed in version 1.33.2 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].