CVE-2025-68564

Vulnerability

Overview

The Sendy plugin for WordPress versions 3.4.2 and earlier contains a missing authorization vulnerability (CWE-862) that allows an attacker to exploit incorrectly configured access control security levels. The plugin fails to properly verify nonce tokens or user capabilities before executing certain privileged actions, enabling unauthenticated users to perform operations intended for higher-privileged roles [1].

Exploitation

Details

This broken access control issue can be exploited remotely without authentication. Attackers can target thousands of websites running the vulnerable plugin by sending crafted requests that bypass authorization checks. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns, where attackers target thousands of sites regardless of traffic size or popularity [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher-privileged actions within the WordPress installation, potentially leading to unauthorized data access, site defacement, or further compromise. The CVSS v3 base score of 6.5 reflects the medium severity of this vulnerability [1].

Mitigation

The vendor has released version 3.4.3 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied. Hosting providers or web developers can assist with the update process [1].