CVE-2025-64248

Vulnerability

Overview The Request a Quote plugin for WordPress (versions up to 2.5.3) suffers from a missing authorization vulnerability, classified as a broken access control issue. The root cause is the lack of proper authorization checks in certain functions, which allows unprivileged users to execute actions that should require higher privileges [1].

Exploitation

Details This vulnerability can be exploited by unauthenticated or low-privileged attackers over the network. The attack complexity is low, and no special prerequisites are needed beyond access to the WordPress site. The reference notes that such vulnerabilities are often used in mass-exploit campaigns, targeting thousands of sites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to perform actions normally restricted to higher-privileged roles, such as modifying settings or accessing sensitive data. The CVSS score of 4.3 (Medium) reflects a moderate impact, but the potential for widespread automated attacks increases the real-world risk [1].

Mitigation

The vendor has released version 2.5.4, which addresses the missing authorization. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are mentioned, so updating is the only reliable fix [1].