CVE-2025-67562

The WordPress plugin Image Caption Hover Pro suffers from a missing authorization vulnerability, classified as a Broken Access Control issue. The plugin fails to properly enforce access control checks on certain functions, allowing attackers to bypass intended restrictions. This vulnerability affects all versions from n/a through before 20.0 [1].

The attack surface is broad: an unauthenticated attacker can exploit the missing authorization checks without needing any special privileges or authentication. The vulnerability can be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity. No user interaction is required for exploitation [1].

Successful exploitation could allow an attacker to perform unauthorized actions within the plugin, such as modifying settings or data that should be restricted. The CVSS v3 base score is 5.4 (Medium), indicating a moderate impact on confidentiality, integrity, and availability. Although the severity is rated low by the vendor, the ease of mass exploitation increases the real-world risk [1].

The vulnerability has been patched in version 20.0. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not immediately possible, it is recommended to contact a hosting provider or web developer for assistance [1].