CVE-2025-54018

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Pop-Up banners: from n/a through <= 1.8.4.

AnalysisAI

Missing authorization controls in CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions 1.8.4 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of access control checks on sensitive functionality, enabling attackers to perform unauthorized actions through direct API or parameter manipulation without requiring valid credentials or proper authorization validation.

Technical ContextAI

CM Pop-Up banners is a WordPress plugin that manages pop-up banner display and configuration. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when software fails to perform authorization checks before allowing access to sensitive functionality or resources. In this case, the plugin does not properly validate user permissions or roles before executing critical operations related to pop-up banner configuration and access control levels. This is a common pattern in WordPress plugin vulnerabilities where developers fail to implement proper capability checks (using functions like current_user_can()) or nonce verification before processing administrative or sensitive requests.

Affected ProductsAI

CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions from release through 1.8.4 inclusive are affected. The plugin is distributed via the official WordPress plugin repository and identified by its slug cm-pop-up-banners. Additional information and advisory details are available from the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/cm-pop-up-banners/vulnerability/wordpress-cm-pop-up-banners-plugin-1-8-4-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

Users should update CM Pop-Up banners to the latest available version beyond 1.8.4 immediately via the WordPress plugin manager. Site administrators running this plugin should verify in their WordPress admin dashboard that automatic updates are enabled, or manually navigate to Plugins > Installed Plugins, locate CM Pop-Up banners, and click Update if available. Additionally, audit any pop-up banner configurations and access control settings to ensure they reflect intended permissions. If a patched version is not yet available from the plugin author, consider temporarily deactivating the plugin until a security update is released, or review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cm-pop-up-banners/vulnerability for any interim mitigation guidance provided by the security research team.

Share

CVE-2025-54018 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy