Skip to main content

ThemeBoy Hide Plugins CVE-2025-62115

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in ThemeBoy Hide Plugins hide-plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through <= 1.0.4.

AnalysisAI

Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.

Technical ContextAI

The Hide Plugins WordPress plugin implements access control mechanisms to restrict plugin visibility and management to authorized administrators. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to validate user permissions before processing requests to sensitive plugin-related operations. This class of flaw typically manifests when capability checks (WordPress's 'manage_options' or equivalent) are either absent or improperly implemented in action handlers or AJAX endpoints. The plugin's access control layer does not correctly verify that the requesting user possesses the requisite privilege level before granting access to plugin management functions, allowing exploitation through direct requests without authentication escalation in some cases.

Affected ProductsAI

ThemeBoy Hide Plugins WordPress plugin versions from initial release through version 1.0.4 are affected. The plugin is available from the WordPress plugin repository (https://patchstack.com/database/Wordpress/Plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve), and all installations running version 1.0.4 or earlier require remediation.

RemediationAI

Update Hide Plugins to the latest available version released by ThemeBoy after version 1.0.4. Consult the official plugin repository and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As an interim mitigation pending patch deployment, review WordPress user roles and capabilities to ensure only trusted administrators possess 'manage_options' and plugin management permissions, and consider restricting plugin access through additional capability filtering or Web Application Firewall (WAF) rules if the patched version is not immediately available.

Share

CVE-2025-62115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy