CVE-2025-62128

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in SiteLock SiteLock Security - WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security - WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.1.

Analysis

Missing authorization in SiteLock Security WordPress plugin versions through 5.0.1 allows attackers to exploit incorrectly configured access control to bypass security restrictions. Unauthenticated remote attackers can leverage this CWE-862 vulnerability to gain unauthorized access to protected functionality or resources without proper privilege validation. The issue is tagged as an authentication bypass with low EPSS exploitation probability (0.05%, 17th percentile), indicating limited real-world attack likelihood despite the authorization flaw.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to properly enforce privilege requirements before allowing access to resources or operations. The SiteLock Security plugin for WordPress implements various hardening, login security, and malware scanning features that require role-based authorization checks. The missing authorization vulnerability suggests that critical security functions are not adequately gated behind proper capability or role verification, allowing attackers to bypass intended access control layers. The WordPress plugin architecture relies on capability checks (via current_user_can() or similar functions) to enforce access control; this vulnerability indicates one or more administrative or security-related features lack such validation.

Affected Products

SiteLock Security - WP Hardening, Login Security & Malware Scans WordPress plugin versions from inception through 5.0.1 are affected. The plugin is identified via CPE context for WordPress plugins and is distributed through the official WordPress plugin repository. Vulnerable installations include all deployments running version 5.0.1 or earlier of this plugin on WordPress sites.

Remediation

Update the SiteLock Security plugin to a version newer than 5.0.1 immediately. Check the official WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve for the specific patched version and installation instructions. In the interim, restrict administrative access to the plugin's settings and features by limiting user roles with capability to modify security hardening configurations, and monitor for unauthorized access attempts to sensitive plugin functions. Verify that all user capability checks are enforced across the plugin's security-critical operations after patching.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-62128 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy