CVE-2025-64632

Vulnerability

Overview The Google XML Sitemaps plugin for WordPress (versions up to and including 4.1.22) contains a missing authorization vulnerability. The plugin fails to properly verify access control security levels, allowing incorrectly configured access to certain functions [1].

Exploitation

Details This issue can be exploited over the network without authentication. Attackers with low privileges may access functions that should require higher privileges, such as administrative actions [1]. The vulnerability has been observed in mass-exploit campaigns targeting thousands of websites, regardless of size [1].

Impact

Successful exploitation could allow an attacker to manipulate sitemap generation, potentially leading to information disclosure or further compromise of the WordPress installation [1]. The official CVSS score is 5.3 (Medium), but the real-world impact may be higher due to widespread exploitation.

Mitigation

The vulnerability is patched in version 4.1.23 of the plugin. Users are strongly advised to update immediately. If automatic updates are enabled via a security plugin like Patchstack, the update will be applied automatically [1]. For those unable to update, consulting a hosting provider or developer is recommended.