CVE-2025-68542

The vulnerability identified in CVE-2025-68542 is a missing authorization issue in the Checkout Gateway for IRIS plugin for WordPress, affecting versions from n/a through 1.3. This broken access control flaw allows attackers to exploit incorrectly configured access control security levels, enabling unauthorized actions without proper authentication or nonce token checks [1].

Attackers can exploit this vulnerability without any prior authentication or privileges, making it accessible to unauthenticated users. The attack surface is broad, as the plugin is used on thousands of websites, and the vulnerability is expected to be leveraged in mass-exploit campaigns targeting sites regardless of size or popularity [1].

Successful exploitation could allow an attacker to execute higher-privileged actions, potentially compromising the affected WordPress site's security and functionality. The impact aligns with typical broken access control issues, where unprivileged users gain unauthorized capabilities [1].

Mitigation is straightforward: update the plugin to version 1.4 or later, which resolves the vulnerability. For those unable to update immediately, Patchstack offers a mitigation rule to block attacks until the update is applied. Users are advised to take immediate action to secure their websites [1].