CVE-2025-67575

Vulnerability

Overview

The Sitewide Notice WP plugin for WordPress, versions 2.4.1 and earlier, contains a missing authorization vulnerability (broken access control). This flaw means that certain functions within the plugin do not properly verify whether the requesting user has the necessary permissions, such as admin-level privileges. The issue is classified as CWE-862 (Missing Authorization) and arises from insufficient access control checks in the plugin's code [1].

Exploitation

Method

An attacker can exploit this vulnerability without needing to authenticate, provided the targeted website is running a vulnerable version of the plugin. By sending specially crafted HTTP requests to the WordPress instance, the attacker can trigger the vulnerable function without passing any authorization checks. This is a typical broken access control scenario where security levels are not correctly configured or enforced [1].

Impact

If successfully exploited, an unauthenticated attacker can modify the site-wide notice settings, potentially displaying arbitrary content to all visitors. This could be used for defacement, phishing, or spreading misleading information under the guise of a legitimate site notice. The CVSS v3 base score of 5.3 (Medium) reflects the potential for significant, albeit not critical, impact on the website's integrity [1].

Mitigation

The vulnerability has been patched in version 2.4.2 of the plugin. Administrators are strongly advised to update immediately. Those using Patchstack can enable auto-updates to protect against this and similar flaws. For sites where updating is not immediately possible, deactivating the plugin until update is another temporary workaround [1].