CVE-2025-64249

Vulnerability

Overview CVE-2025-64249 is a missing authorization vulnerability in the Protect WP Admin plugin for WordPress, affecting versions up to and including 4.1. The plugin fails to properly enforce access control security levels, allowing attackers to exploit incorrectly configured access controls [1].

Exploitation

This broken access control issue can be exploited without authentication, as the plugin does not perform adequate authorization checks on certain functions. Attackers can leverage this to perform actions that should require higher privileges, potentially targeting thousands of websites in mass-exploit campaigns [1].

Impact

Successful exploitation allows an unprivileged user to execute higher-privileged actions, such as accessing or modifying protected admin areas. The CVSS v3 score of 5.3 (Medium) reflects the potential for unauthorized access, though the vendor notes a low likelihood of exploitation [1].

Mitigation

The vulnerability is addressed in version 4.2 of the plugin. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].