CVE-2025-64273

The GetResponse Email marketing for WordPress plugin (getresponse-official) contains a missing authorization vulnerability in versions up to and including 1.5.3. The issue stems from incorrectly configured access control security levels, which allow unprivileged users to execute actions that should require higher privileges [1].

The vulnerability can be exploited over the network without authentication, and does not require user interaction. Attackers can target thousands of websites at once in mass-exploit campaigns, as the flaw affects any site running the vulnerable plugin version [1]. The attack surface is broad because the plugin is widely deployed for email marketing.

Successful exploitation enables an attacker to perform actions that should be restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive data, depending on the specific missing authorization check [1]. The CVSS v3.1 score is 6.5 (Medium), reflecting a significant but not critical risk.

The vulnerability is patched in version 1.5.4 of the plugin. Immediate update to version 1.5.4 or later is strongly recommended. For sites unable to update immediately, hosting providers or web developers should apply mitigations such as Patchstack's rules to block attacks until the update can be performed [1].