CVE-2025-69028

The weForms plugin for WordPress versions up to 1.6.25 suffers from a broken access control vulnerability due to missing authorization checks [1]. This flaw falls under the category of incorrectly configured access control security levels, meaning an unauthenticated user can trigger actions that should be restricted to higher-privileged roles [1].

Exploitation of this vulnerability is straightforward because no authentication or nonce token validation is performed in the affected functions [1]. Attackers can target thousands of websites running the plugin in mass-exploit campaigns, regardless of site traffic or popularity [1]. The low severity CVSS score (5.3) reflects the relatively limited immediate impact, but the widespread nature of such campaigns amplifies the risk [1].

If exploited, an attacker gains the ability to perform unauthorized actions within the weForms functionality, leveraging the incorrect configuration of access controls [1]. The specific attacker capabilities are not detailed in the advisory, but broken access control issues commonly allow data exposure or modification of settings [1].

Update to weForms version 1.6.26 or later to remediate this vulnerability [1]. Users of Patchstack can enable auto-updates for vulnerable plugins. If updating is not immediately possible, contact a hosting provider or web developer for assistance [1].