CVE-2025-67993

Vulnerability

Overview

The Atarim plugin for WordPress (atarim-visual-collaboration) versions up to and including 4.2.1 suffer from a missing authorization vulnerability [1]. This broken access control issue means that certain functions lack proper permission checks, allowing users without the required privileges to execute actions intended for higher-privileged roles.

Exploitation

An attacker can exploit this vulnerability without needing any special authentication or by leveraging a low-privileged account. The missing authorization check enables them to trigger administrative or other sensitive operations that should be restricted. Given the plugin's widespread use, this flaw is expected to be targeted in mass-exploit campaigns, affecting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an unprivileged user to perform actions that compromise the security of the WordPress site. This could include modifying settings, accessing sensitive data, or escalating privileges further, potentially leading to full site takeover.

Mitigation

The vulnerability has been addressed in version 4.2.2 of the Atarim plugin. Users are strongly advised to update immediately to the patched version. For those unable to update, applying a mitigation rule from security services like Patchstack can block attacks until the update is applied [1].