CVE-2025-68995

Vulnerability

Description

CVE-2025-68995 is a Missing Authorization vulnerability in the WordPress plugin My Sticky Elements (mystickyelements) up to version 2.3.3 and earlier [1]. The plugin fails to properly enforce access control checks, leading to a broken access control issue where functions lack authorization, authentication, or nonce token validation [1]. This can be exploited by an unauthenticated or low-privileged user to perform actions that should require higher privileges.

Exploitation

An attacker can trigger this vulnerability use this weakness without requiring any special privileges, as the missing authorization means no check is performed on the user's capability [1]. The attack surface is the web-facing plugin endpoints exposed on WordPress sites. No authenticated session or elevated role is needed; the attacker simply sends crafted requests to trigger the vulnerable to the missing access control checks.

Impact

Successful exploitation allows an attacker to execute actions intended for higher-privileged users, potentially leading to unauthorized configuration changes, data exposure, or privilege escalation within the scope of the plugin [1]. The CVSS v3 score is 4.3 (Medium), reflecting the moderate impact and low complexity of exploitation.

Mitigation

The plugin vendor released version 2.3.4 which fixes the broken access control [1]. Users should update to 2.3.4 or later immediately. For those unable to update, contacting the hosting provider or web developer is advised. Patchstack users can enable auto-update for vulnerable plugins [1].