Skip to main content

Anti CVE-2025-48166

MEDIUM
Missing Authorization (CWE-862)
2025-07-16 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in sminozzi Stop and Block bots plugin Anti bots antibots allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Stop and Block bots plugin Anti bots: from n/a through <= 1.48.

AnalysisAI

Missing authorization controls in the Stop and Block Bots plugin (Anti bots) for WordPress through version 1.48 allows attackers to access functionality that should be restricted by access control lists, enabling unauthorized administrative operations without proper authentication. The vulnerability is classified as broken access control (CWE-862) with low exploitation probability (EPSS 0.06%) and no confirmed active exploitation.

Technical ContextAI

The Stop and Block Bots WordPress plugin fails to implement proper authorization checks (access control lists/ACLs) on sensitive functionality, a violation of the CWE-862 class (Missing Authorization). This means the plugin likely exposes administrative or privileged functions without verifying user roles or capabilities before allowing access. WordPress plugins typically rely on capability checks using functions like current_user_can() to enforce access control; this vulnerability indicates such checks are either absent or improperly implemented on certain endpoints or admin functions. The vulnerability affects the plugin codebase distributed through the WordPress plugin repository, which runs in the context of WordPress's permission model.

Affected ProductsAI

The Stop and Block Bots plugin (Anti bots) by sminozzi for WordPress is affected in version 1.48 and all prior versions. The plugin is distributed through the official WordPress plugin repository and identified by the slug 'antibots'. No specific CPE string is provided in the source data, but the plugin can be identified via WordPress plugin management interfaces and the vendor advisory at Patchstack.

RemediationAI

Update the Stop and Block Bots plugin to a version newer than 1.48 as soon as it is released by the vendor. Users should navigate to the WordPress admin dashboard, access Plugins > Installed Plugins, locate 'Stop and Block Bots (Anti bots)', and click Update if available. If no patched version is immediately available, temporarily disable the plugin to prevent unauthorized access to its functionality, or restrict access to the WordPress admin dashboard via firewall rules or IP whitelisting. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/antibots/vulnerability/wordpress-stop-and-block-bots-plugin-anti-bots-1-48-broken-access-control-vulnerability for patch availability and timeline.

Share

CVE-2025-48166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy