CVE-2025-64247

The Read More & Accordion plugin for WordPress versions up to and including 3.5.5.1 contain a missing authorization vulnerability that results in broken access control. The plugin fails to properly verify user permissions in certain functions, allowing attackers to bypass security restrictions intended for privileged operations. This is classified as an incorrectly configured access control security level issue [1].

Exploitation does not require authentication and can be performed remotely, making the plugin a target for mass-exploit campaigns against thousands of websites regardless of traffic size or popularity. Attackers can craft HTTP requests to trigger unauthorized actions without needing prior access to the site [1].

The impact of successful exploitation is limited to low-severity consequences, such as unauthorized modification of plugin settings or content. While the vulnerability does not directly lead to full site compromise, it can be leveraged for privilege escalation or as part of a larger attack chain. Patchstack notes that the issue is unlikely to be exploited in practice [1].

Mitigation is straightforward: update the plugin to version 3.5.6 or later, which includes the necessary authorization checks. Patchstack users can enable auto-updates for vulnerable plugins to streamline protection. Immediate action is recommended given the potential for automated exploitation campaigns [1].