CVE-2025-49349

2025-12-31 [email protected]
Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in Reuters News Agency Reuters Direct reuters-direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through <= 3.0.0.

AnalysisAI

Reuters Direct WordPress plugin through version 3.0.0 contains a missing authorization vulnerability allowing attackers to bypass access control restrictions and access protected functionality without proper authentication. The vulnerability stems from incorrectly configured access control security levels in the plugin, potentially enabling unauthenticated users to interact with sensitive features intended for authorized administrators or subscribers. With an EPSS score of 0.04% and low real-world exploitation signals, this issue presents minimal immediate risk but should be addressed through plugin updates.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a flaw in access control implementation where the application fails to properly verify that users have the necessary permissions before granting access to restricted resources or functions. In the context of the Reuters Direct WordPress plugin, the root cause involves incorrectly configured access control security levels within the plugin's codebase. WordPress plugins relying on improperly implemented capability checks or REST API endpoints without proper permission verification are susceptible to this class of vulnerability. The plugin's failure to enforce authorization checks means that access control decisions are either absent, bypassable, or misconfigured at the application layer.

Affected ProductsAI

Reuters Direct WordPress plugin versions from an unspecified baseline through and including version 3.0.0 are affected. The plugin is distributed through the WordPress plugin repository and is identified by the CPE reference related to WordPress plugin reuters-direct. All installations running version 3.0.0 or earlier with this plugin active should be considered vulnerable to unauthorized access if the misconfigured access control is exploitable for the user's specific deployment.

RemediationAI

Update the Reuters Direct WordPress plugin to the latest available version beyond 3.0.0. Users should access the WordPress dashboard, navigate to Plugins, locate Reuters Direct, and click Update if an available version is displayed. If no newer version is available in the WordPress plugin repository, contact the Reuters Direct plugin vendor directly or consult the official advisory at https://patchstack.com/database/Wordpress/Plugin/reuters-direct/vulnerability/wordpress-reuters-direct-plugin-3-0-0-broken-access-control-vulnerability for specific patch guidance. As a temporary workaround, administrators may restrict plugin capabilities through user role management or disable the plugin entirely until a patched version is released. Ensure proper WordPress user role and capability assignments are in place to enforce access restrictions independently of the plugin.

Share

CVE-2025-49349 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy