CVE-2025-67578

Vulnerability

Overview The WP Email Capture plugin for WordPress, versions up to and including 3.12.4, contains a missing authorization vulnerability classified as Missing Authorization (CWE-862). This broken access control issue means that certain functions lack proper authorization, authentication, or nonce token checks[1]. As a result, an unprivileged user can execute actions that should only be available to higher-privileged users.

Exploitation and

Attack Surface The vulnerability can be exploited by any unauthenticated or low-privileged-in user with minimal privileges, as the affected functions do not properly verify permissions[1]. The attack surface is broad because the plugin is widely used in WordPress installations. The vulnerability is being used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity[1]. No special network position or authentication is required beyond the ability to send malicious requests to the WordPress site.

Impact

An attacker successfully exploiting this vulnerability gains the ability to perform higher-privileged actions, such as modifying plugin settings or accessing sensitive data, depending on the affected function[1]. The official CVSS score (5.3, Medium) reflects a moderate impact, though the vendor notes that the severity is low and exploitation is unlikely[1]. However, given its use in automated campaigns, the real-world risk may be higher for sites with the vulnerable plugin.

Mitigation

The vulnerability has been addressed in version 3.12.5 of WP Email Capture. Users are strongly advised to update to this version or later immediately[1]. Patchstack users can enable auto-updates for vulnerable plugins. If immediate updating is not possible, site owners should seek assistance from their hosting provider or a web developer to mitigate the risk[1].