CVE-2025-62138

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in cedcommerce WP Advanced PDF wp-advanced-pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through <= 1.1.7.

Analysis

Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to properly verify user permissions before allowing sensitive operations. In the WP Advanced PDF plugin (a WordPress plugin for dynamic PDF generation and management), the authorization bypass likely affects API endpoints, admin functions, or file generation routines that should be restricted to authenticated administrators or specific roles. WordPress plugins are particularly susceptible to such flaws when developers conflate WordPress capability checks with proper authorization validation, or fail to implement nonce verification for sensitive POST requests. The cedcommerce plugin's PDF handling infrastructure lacks granular access control validation, allowing attack surface exposure through HTTP requests to vulnerable endpoints.

Affected Products

cedcommerce WP Advanced PDF plugin versions from an unspecified baseline through version 1.1.7 are affected. The plugin is distributed through the WordPress plugin repository and is identified by the slug wp-advanced-pdf. No specific CPE string is available in the provided data, but the vulnerability scope is limited to WordPress installations with this plugin active. Users running version 1.1.7 or earlier on any WordPress installation are exposed to the authorization bypass.

Remediation

Update cedcommerce WP Advanced PDF to a patched version beyond 1.1.7 as soon as a fixed release becomes available. Check the WordPress plugin repository or cedcommerce's official channels for the latest version, and enable automatic updates if your WordPress configuration permits. In the interim, consider disabling the plugin if its functionality is not critical, or restrict access to the affected plugin's endpoints through Web Application Firewall (WAF) rules or .htaccess-based IP whitelisting on the WordPress admin interface. The vendor advisory is available at https://patchstack.com/database/Wordpress/Plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-other-vulnerability-type-vulnerability?_s_id=cve for detailed remediation guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62138 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy