CVE-2025-48155

Missing Authorization (CWE-862)
2025-07-16 [email protected]
Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Residential Address Detection: from n/a through <= 2.5.9.

AnalysisAI

Missing authorization controls in enituretechnology Residential Address Detection WordPress plugin versions up to 2.5.9 allow unauthenticated attackers to access restricted functionality by bypassing access control lists. The vulnerability stems from insufficient ACL enforcement, enabling attackers to invoke protected features without proper permission validation. EPSS exploitation probability is low at 0.06%, though the authentication bypass classification indicates practical attack feasibility.

Technical ContextAI

The Residential Address Detection plugin fails to properly implement access control list (ACL) enforcement when handling requests to protected functionality. CWE-862 (Missing Authorization) indicates the application checks whether a user is permitted to perform an action, but does not properly enforce these authorization checks before granting access. In WordPress plugin architecture, this typically manifests as missing capability checks (e.g., current_user_can()) on AJAX handlers, REST API endpoints, or admin functions. Attackers can directly invoke these unprotected endpoints without requisite WordPress roles or nonces, effectively bypassing the plugin's intended permission model.

Affected ProductsAI

enituretechnology Residential Address Detection WordPress plugin through version 2.5.9. The vulnerability affects all installations using the plugin from initial release through the 2.5.9 version, as indicated by the version range descriptor 'from n/a through <= 2.5.9.' CPE string: cpe:2.3:a:enituretechnology:residential-address-detection:*:*:*:*:*:wordpress:*:*. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-9-broken-access-control-vulnerability for vendor advisory details.

RemediationAI

Upgrade the Residential Address Detection plugin to a patched version beyond 2.5.9 immediately upon availability. Check the official plugin repository or enituretechnology's distribution channels for a security update that implements proper authorization checks (ACL validation) on all protected functionality. If an immediate patch is unavailable, disable or remove the plugin until a fix is released. WordPress administrators should verify the plugin does not expose sensitive address data or administrative functions via unprotected endpoints; restrict plugin activation to trusted users only and monitor server logs for suspicious access patterns to plugin-related API calls or AJAX handlers.

Share

CVE-2025-48155 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy