CVE-2025-62085

MEDIUM
2025-12-09 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

Tags

AI / ML Authentication Bypass

Description

Missing Authorization vulnerability in Bertha AI &#8211; Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.

Analysis

Bertha AI WordPress plugin through version 1.13 allows unauthenticated attackers to modify content via incorrectly configured access control, enabling unauthorized changes to website data without authentication. The vulnerability stems from missing authorization checks on sensitive operations, classified as CWE-862 (Missing Authorization). While CVSS scores 5.3 (medium severity), EPSS exploitation probability is minimal at 0.04%, indicating low real-world attack likelihood despite the straightforward attack vector.

Technical Context

Bertha AI (bertha-ai-free) is a WordPress plugin that provides AI-powered content generation and management capabilities. The vulnerability exists within the plugin's access control implementation, where authorization checks are either absent or incorrectly configured for certain operations. CWE-862 (Missing Authorization) indicates that the plugin fails to verify whether users have permission to perform specific actions before allowing those actions to execute. This is distinct from authentication bypass-the plugin may not verify user identity at all on certain endpoints, or it may fail to map authenticated users to appropriate permission levels. The flaw affects the plugin's API handlers or admin AJAX endpoints that process write operations (indicated by the Integrity impact in CVSS), likely exposing functionality that should be restricted to authenticated administrators.

Affected Products

Bertha AI WordPress plugin (bertha-ai-free) from version 1.0 through version 1.13 is affected. The plugin is identified by CPE references to the WordPress plugin ecosystem and is distributed through the official WordPress plugin repository. Vulnerability details and affected version information are documented in the Patchstack vulnerability database, accessible via https://patchstack.com/database/Wordpress/Plugin/bertha-ai-free/vulnerability/wordpress-bertha-ai-plugin-1-13-broken-access-control-vulnerability?_s_id=cve

Remediation

Upgrade Bertha AI plugin immediately to a version newer than 1.13 once released by the plugin developer (Andrew Palmer). Check the official WordPress plugin repository or the plugin's GitHub page for patched versions. In the interim, restrict access to the WordPress plugin dashboard and disable the Bertha AI plugin if it is not essential to operations. Implement additional access controls at the web server or WAF level to restrict administrative plugin functionality to trusted IP ranges. Monitor WordPress audit logs for unauthorized modifications to posts, pages, or plugin settings that may indicate exploitation attempts. For detailed remediation guidance and patch release notifications, monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/bertha-ai-free/vulnerability/wordpress-bertha-ai-plugin-1-13-broken-access-control-vulnerability?_s_id=cve

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-62085 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy