CVE-2025-67913

Vulnerability

Overview

The Aruba HiSpeed Cache plugin for WordPress versions up to and including 3.0.2 contains a Missing Authorization vulnerability [1]. This flaw stems from improper enforcement of access controls on certain plugin functions, meaning that protected functionality can be accessed without the required privileges [1].

Exploitation

Details

An attacker can exploit this vulnerability by sending crafted requests to the affected plugin endpoints, bypassing the intended ACL checks ACLs. No authentication or special network position is required, as the missing check makes these functions publicly accessible [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute privileged actions that should be restricted to higher-level users. This could include administrators [1]. This can lead to unauthorized configuration changes or other operations that compromise the site's integrity or availability [1].

Mitigation

The vendor released a fix in version 3.0.3 of the plugin [1]. Users are advised to update to this patched version immediately. If updating is not possible, Patchstack offers a virtual mitigation rule that blocks exploitation attempts until the update can be applied [1].