CVE-2026-25011

The WP Custom Admin Interface plugin for WordPress, up to and including version 7.41, is vulnerable to a missing authorization issue (CVE-2026-25011). This flaw allows exploiting incorrectly configured access control security levels due to a lack of proper authorization checks in one or more functions [1].

An attacker who is an unprivileged user (e.g., subscriber or contributor) can exploit this broken access control to execute higher-privileged actions without proper authentication or nonce token verification. The vulnerability arises from missing authorization, authentication, or nonce token checks in the plugin's code [1].

The impact is that an attacker may be able to perform actions that should require higher privileges, potentially compromising the site. The severity is medium (CVSS 3.1 base score 4.3). While Patchstack notes the vulnerability has low severity and is unlikely to be exploited, it is important to address as part of defense-in-depth [1].

Mitigation is available. The vulnerability has been fixed in version 7.42 of the plugin. Users are strongly advised to update immediately. Alternatively, Patchstack users can enable auto-updates for vulnerable plugins [1].