ThemeBoy Hide Plugins CVE-2025-62115
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in ThemeBoy Hide Plugins hide-plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through <= 1.0.4.
AnalysisAI
Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.
Technical ContextAI
The Hide Plugins WordPress plugin implements access control mechanisms to restrict plugin visibility and management to authorized administrators. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to validate user permissions before processing requests to sensitive plugin-related operations. This class of flaw typically manifests when capability checks (WordPress's 'manage_options' or equivalent) are either absent or improperly implemented in action handlers or AJAX endpoints. The plugin's access control layer does not correctly verify that the requesting user possesses the requisite privilege level before granting access to plugin management functions, allowing exploitation through direct requests without authentication escalation in some cases.
Affected ProductsAI
ThemeBoy Hide Plugins WordPress plugin versions from initial release through version 1.0.4 are affected. The plugin is available from the WordPress plugin repository (https://patchstack.com/database/Wordpress/Plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve), and all installations running version 1.0.4 or earlier require remediation.
RemediationAI
Update Hide Plugins to the latest available version released by ThemeBoy after version 1.0.4. Consult the official plugin repository and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As an interim mitigation pending patch deployment, review WordPress user roles and capabilities to ensure only trusted administrators possess 'manage_options' and plugin management permissions, and consider restricting plugin access through additional capability filtering or Web Application Firewall (WAF) rules if the patched version is not immediately available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today