CVE-2025-64245

The WordPress plugin Import external attachments versions up to and including 1.5.12 contain a missing authorization vulnerability [1]. This is a broken access control issue, meaning the software fails to properly verify a user's privileges before allowing certain functionality [1]. The lack of an authorization or nonce token check in a function could allow unintended access [1].

An attacker who can exploit this? An unauthenticated or low-privileged attacker (e.g., subscriber) could potentially trigger the vulnerable function without proper permission checks [1]. Because the plugin does not validate whether the current user has the required capabilities, the attacker can execute actions that should be reserved for higher-privileged roles (like administrators) [1]. The attack surface is limited to WordPress sites running the affected plugin version, with no other authentication bypass required beyond the missing check itself.

Successful exploitation could allow the attacker to import external attachments without authorization, potentially uploading files or performing other import-related operations that bypass the intended security levels [1]. This could lead to unwanted file imports or other data manipulation, depending on the functionality exposed by the unauthenticated import endpoint. Given that this vulnerability details, it is likely that this flaw can be leveraged in mass-exploit attacks targeting thousands of sites [1].

The plugin vendor has released a patched version (1 version after 1.5.12 [1]. Users are strongly advised to update to the latest available version immediately [1]. For sites running an older version, disabl this plugin or apply a workaround (e.g., restrict access to the import functionality until an update can be applied). The vulnerability has been published at Patchstack's database [1] and is considered a medium-risk (CVSS 4.3) issue but is actively being monitored for potential mass exploitation [1].