Skip to main content

CVE-2025-62138

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in cedcommerce WP Advanced PDF wp-advanced-pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through <= 1.1.7.

AnalysisAI

Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to properly verify user permissions before allowing sensitive operations. In the WP Advanced PDF plugin (a WordPress plugin for dynamic PDF generation and management), the authorization bypass likely affects API endpoints, admin functions, or file generation routines that should be restricted to authenticated administrators or specific roles. WordPress plugins are particularly susceptible to such flaws when developers conflate WordPress capability checks with proper authorization validation, or fail to implement nonce verification for sensitive POST requests. The cedcommerce plugin's PDF handling infrastructure lacks granular access control validation, allowing attack surface exposure through HTTP requests to vulnerable endpoints.

Affected ProductsAI

cedcommerce WP Advanced PDF plugin versions from an unspecified baseline through version 1.1.7 are affected. The plugin is distributed through the WordPress plugin repository and is identified by the slug wp-advanced-pdf. No specific CPE string is available in the provided data, but the vulnerability scope is limited to WordPress installations with this plugin active. Users running version 1.1.7 or earlier on any WordPress installation are exposed to the authorization bypass.

RemediationAI

Update cedcommerce WP Advanced PDF to a patched version beyond 1.1.7 as soon as a fixed release becomes available. Check the WordPress plugin repository or cedcommerce's official channels for the latest version, and enable automatic updates if your WordPress configuration permits. In the interim, consider disabling the plugin if its functionality is not critical, or restrict access to the affected plugin's endpoints through Web Application Firewall (WAF) rules or .htaccess-based IP whitelisting on the WordPress admin interface. The vendor advisory is available at https://patchstack.com/database/Wordpress/Plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-other-vulnerability-type-vulnerability?_s_id=cve for detailed remediation guidance.

Share

CVE-2025-62138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy