CVE-2026-25012

Vulnerability

Overview

The WP Bannerize Pro plugin for WordPress, versions up to and including 1.11.0, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify that a user has the necessary permissions before executing certain privileged actions [1].

Exploitation

This broken access control issue can be exploited by an unauthenticated attacker who can send crafted requests to the vulnerable endpoints. No authentication is required, and the attack can be performed remotely targets the WordPress installation. The vulnerability is considered low complexity and can be leveraged in mass-exploit campaigns against thousands of sites simultaneously [1].## Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could lead to unauthorized modification of plugin settings, banner data, or other protected functionality, potentially compromising the site's integrity or exposing sensitive information [1].## Mitigation

The vendor has released version 1.11.1 which addresses the issue. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].