CVE-2025-62092
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Wiremo Wiremo woo-reviews-by-wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through <= 1.4.99.
Analysis
Missing authorization controls in the Wiremo woo-reviews-by-wiremo WordPress plugin through version 1.4.99 allow attackers to bypass access restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized data access or modification of review functionality. The vulnerability stems from broken access control (CWE-862) and carries an EPSS score of 0.04% (13th percentile), indicating low real-world exploitation probability despite the authentication bypass tag.
Technical Context
The Wiremo woo-reviews-by-wiremo plugin, a WordPress extension for managing WooCommerce product reviews, implements access control mechanisms that fail to properly validate user permissions before allowing sensitive operations. CWE-862 (Missing Authorization) indicates the plugin performs actions or grants access based on user-controlled input without verifying that the user has the necessary privileges. This type of flaw typically manifests in WordPress plugins when custom post type handlers, AJAX endpoints, or admin functionality do not check user roles (subscriber, contributor, author, editor, administrator) or nonce values before executing privileged actions. The vulnerability affects all versions up to and including 1.4.99.
Affected Products
The Wiremo woo-reviews-by-wiremo WordPress plugin is affected in all versions from an unspecified baseline through version 1.4.99. This is a WordPress plugin distributed through the official plugin repository (identified via woo-reviews-by-wiremo slug) that integrates with WooCommerce. Administrators running any instance of this plugin at or below version 1.4.99 should assume the system is vulnerable.
Remediation
Update the Wiremo woo-reviews-by-wiremo plugin to a version newer than 1.4.99. Administrators should navigate to the WordPress dashboard, access the Plugins menu, locate woo-reviews-by-wiremo in the installed plugins list, and click Update if available. If an update beyond 1.4.99 has been released by the vendor, install it immediately. As an interim measure, administrators should restrict access to the vulnerable plugin functionality by limiting user roles that can interact with reviews or review-related settings, and consider disabling the plugin entirely if it is not actively used. Consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/woo-reviews-by-wiremo/vulnerability/wordpress-wiremo-plugin-1-4-99-broken-access-control-vulnerability?_s_id=cve) for vendor-specific patching guidance and confirmation of available fix versions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today