Skip to main content

CVE-2025-62116

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in quadlayers AI Copilot ai-copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through <= 1.5.2.

AnalysisAI

Missing authorization checks in quadlayers AI Copilot WordPress plugin versions up to 1.5.2 allow unauthenticated or inadequately privileged users to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from improperly configured security levels that fail to enforce proper permission validation, enabling attackers to exploit the authentication bypass to access or manipulate protected functionality without proper credentials.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control flaw in which the application fails to verify that a user has the appropriate permissions before allowing access to sensitive resources or operations. In the context of the quadlayers AI Copilot WordPress plugin, the vulnerability indicates that the plugin implements insufficient authorization checks on its API endpoints or administrative functions. WordPress plugins typically enforce authorization through capability checking (using functions like current_user_can()) and nonce verification for state-changing operations. When these mechanisms are incorrectly configured or omitted, unauthenticated users or users with minimal privileges can interact with protected endpoints, potentially leading to unauthorized data access, modification, or deletion. The CPE for this vulnerability covers the WordPress plugin ai-copilot in versions through 1.5.2.

Affected ProductsAI

The quadlayers AI Copilot WordPress plugin is affected in all versions from the initial release through and including version 1.5.2. The plugin is distributed via the official WordPress Plugin Directory as 'ai-copilot'. Users running any version at or below 1.5.2 are at risk of exposure to this authorization bypass vulnerability.

RemediationAI

Update the AI Copilot plugin to a version newer than 1.5.2 immediately. Visit the WordPress Plugin Directory or navigate to Plugins > Installed Plugins in your WordPress dashboard, locate 'AI Copilot,' and click 'Update' if available. If an update beyond 1.5.2 has been released, apply it directly. If no newer version is available from the vendor, disable the plugin until a security patch is released. For additional details and confirmation of patch availability, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/ai-copilot/vulnerability/wordpress-ai-copilot-plugin-1-4-7-broken-access-control-vulnerability?_s_id=cve.

Share

CVE-2025-62116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy