CVE-2025-67584

The WordPress GoDAM plugin by rtCamp suffers from a missing authorization vulnerability (CVE-2025-67584) affecting versions up to and including 1.4.6. This flaw allows an attacker to bypass access control mechanisms, as the plugin does not properly enforce permissions on certain functions [1].

Exploitation does not require authentication, making it accessible to any unauthenticated user who can send crafted requests to the WordPress site. The vulnerability is commonly used in mass-exploit campaigns, allowing attackers to target thousands of websites simultaneously regardless of traffic or popularity [1].

An attacker exploiting this issue can gain unauthorized access to privileged actions or data that should be restricted to higher-level users. This could lead to data leakage, modification, or further compromise of the WordPress installation [1].

The vulnerability has been patched in version 1.4.7. Users are strongly advised to update the plugin immediately. If updating is not possible, it is recommended to seek assistance from a hosting provider or web developer. The Patchstack auto-update feature can also be enabled for vulnerable plugins [1].