CVE-2025-68021

Vulnerability

Overview

CVE-2025-68021 is a missing authorization vulnerability in the ConveyThis WordPress plugin (versions up to 269.9). The plugin fails to properly enforce access control checks, allowing users without the necessary privileges to perform administrative actions. This is a classic broken access control issue where the application does not verify if the current user has permission to execute a specific function or access a resource [1].

Exploitation

Exploitation does not require authentication bypass but rather leverages the fact that the plugin omits authorization checks. Any unauthenticated or low-privileged user can directly call endpoints or functions that should be restricted to higher-privileged roles like administrators. According to the advisory, vulnerabilities of this type are actively used in mass-exploit campaigns targeting thousands of websites simultaneously [1]. Attackers can automate exploitation to scan for vulnerable installations.

Impact

Successful exploitation allows an attacker to perform actions that they should not have access to, such as modifying plugin settings, altering translations, or potentially escalating privileges further within the WordPress site. The CVSS score of 6.5 (Medium) reflects the moderate severity, but the ease of exploitation and the potential for automation increase the risk significantly [1].

Mitigation

The vendor has not yet released a patched version beyond 269.9 at the time of publication. Users are strongly advised to update immediately if a fix becomes available, or to implement workarounds such as disabling the plugin until a patch is applied. Hosting providers and web developers should be contacted for assistance if the update cannot be performed directly [1].