CVE-2025-69013

Vulnerability

Overview

The Stratum WordPress plugin, versions up to and up to and including 1.6.1, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions. The issue is classified as a broken access control vulnerability, which can be exploited by unauthenticated attackers to execute higher-privileged actions without proper authentication or nonce token checks [1].

Exploitation and

Attack Surface

Exploitation requires no authentication, making the attack surface broad. Attackers can target any WordPress site running the vulnerable plugin version. The vulnerability is particularly concerning because it can be leveraged in mass-exploit campaigns, allowing attackers to compromise thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an unprivileged user to perform actions that should require higher privileges. This could lead to unauthorized data access, content manipulation, or other administrative-level operations, depending on the specific function affected. The CVSS v3 score of 4.3 (Medium) reflects the potential for significant impact, though the vendor notes the issue has low severity and is unlikely to be exploited in practice [1].

Mitigation

The vulnerability has been patched in version 1.6.2 of the Stratum plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].