CVE-2025-54045

MEDIUM
2025-12-16 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.5.

Analysis

Authenticated users with limited privileges can access search and replace functionality in CM On Demand Search And Replace WordPress plugin (versions up to 1.5.5) due to missing authorization checks on restricted features. An attacker with basic user credentials can perform privileged actions intended only for administrators, affecting data confidentiality through unauthorized content access. This is confirmed as an authentication bypass vulnerability with low real-world exploitation probability (EPSS 0.04%) despite the missing authorization flaw.

Technical Context

CM On Demand Search And Replace is a WordPress plugin (CPE: implied wp-plugin context) that implements search and replace functionality for site content management. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user roles and capabilities before granting access to sensitive operations. WordPress typically implements capability-based access control through functions like current_user_can(); this plugin appears to have bypassed or misconfigured these checks. The plugin's administrative functions are accessible to authenticated users at privilege levels (PR:L per CVSS vector) that should not have such access, allowing them to query or modify content without proper authorization gates.

Affected Products

CM On Demand Search And Replace WordPress plugin versions 1.5.5 and earlier. The vulnerability affects all installations of this plugin up to version 1.5.5 inclusive, as confirmed in the Patchstack vulnerability database entry referenced in the advisory.

Remediation

Upgrade CM On Demand Search And Replace to the patched version released after 1.5.5 immediately. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve for patch availability and release details. As an interim mitigation, restrict plugin access to administrator-level users only through WordPress role and capability management, and audit user permission levels to ensure low-privilege accounts do not have search/replace feature access. Monitor activity logs for unauthorized access attempts to sensitive content areas.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-54045 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy