CVE-2026-25036

Vulnerability

Overview The Passster content-protector plugin for WordPress, versions up to version 4.2.25 contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly check user authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute actions that should require higher privileges [1].

Exploitation and

Attack Surface The vulnerability can be exploited by any unauthenticated or low-privileged attacker who can send crafted requests to a WordPress site running the vulnerable plugin. No special prerequisites beyond network access to the site are required. The issue is classified as a broken access control vulnerability, which is commonly targeted in mass-exploit campaigns against thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to bypass access control restrictions and potentially access or modify protected content, or perform other unauthorized actions. The CVSS v3 base score is 6.5 (Medium), indicating a moderate severity. However, the vendor notes that the security issue has a low severity impact and is unlikely to be exploited [1].

Mitigation

The vulnerability has been patched in version 4.2.26 of the Passster plugin. Users are strongly advised to update to this version or later immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins only [1].