CVE-2026-25021

Vulnerability

Overview The Mizan Demo Importer plugin for WordPress contains a missing authorization vulnerability (CWE-862) in versions up to 0.1.3. The plugin fails to properly verify access rights before allowing users to execute demo import functions, effectively providing unauthenticated access to functionality that should require higher privileges. [1]

Exploitation

An attacker does not need any authentication or prior privileges. By sending crafted HTTP requests to the vulnerable endpoint, they can trigger the import of arbitrary demo content. This can include malicious payloads or overwrite existing site settings. The flaw is classified as "Broken Access Control," indicating a lack of necessary permission checks. [1]

Impact

Successful exploitation allows an attacker to inject arbitrary content, potentially leading to site defacement, insertion of backdoors, or complete site takeover. The vulnerability is known to be exploited in mass campaigns targeting thousands of websites. [1]

Mitigation

The vendor has released version 0.1.4, which addresses the missing authorization. Users are strongly advised to update immediately. No workaround is available. Patchstack users can enable auto-updates for vulnerable plugins. [1]