CVE-2025-67965

Vulnerability

Details

CVE-2025-67965 is a missing authorization vulnerability in the Homey Core plugin for WordPress, affecting versions up to and including 2.4.3. The plugin fails to properly enforce access control checks, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges [1].

Exploitation

The vulnerability can be exploited remotely without authentication, as the missing authorization check leaves certain functions exposed. Attackers can leverage this to bypass security restrictions and execute unauthorized operations. The reference notes that such vulnerabilities are often used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation could allow an attacker to modify plugin settings, access sensitive data, or perform other administrative actions depending on the specific missing authorization. The CVSS score of 5.3 (Medium) reflects the potential for unauthorized access, though the vendor considers the impact low [1].

Mitigation

The issue is resolved in version 2.4.4 of the Homey Core plugin. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1].