Skip to main content

Mohammed Kaludi Core Web Vitals CVE-2025-62144

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster core-web-vitals-pagespeed-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through <= 1.0.28.

AnalysisAI

Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.

Technical ContextAI

The Core Web Vitals & PageSpeed Booster plugin (CPE: wordpress:core-web-vitals-&-pagespeed-booster) is a WordPress plugin designed to optimize web performance metrics and PageSpeed scores. The vulnerability roots in CWE-862 (Missing Authorization), which occurs when access control checks are either absent or improperly implemented in the plugin's administrative or sensitive functions. This allows the application to assume all incoming requests are authorized without verifying the user's privilege level, role, or session validity. WordPress plugins are particularly susceptible to this class of vulnerability when they fail to properly use WordPress's capability checking functions (such as current_user_can() or check_admin_referer()) on AJAX endpoints, REST API routes, or direct function calls accessible via low-privilege or unauthenticated requests.

Affected ProductsAI

Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin from initial release through version 1.0.28 is affected. The plugin is available on the WordPress.org plugin repository as core-web-vitals-pagespeed-booster. Detailed vulnerability information and patch status can be found in the Patchstack vulnerability database entry referenced in the advisory.

RemediationAI

Update Mohammed Kaludi Core Web Vitals & PageSpeed Booster plugin to a version newer than 1.0.28 immediately. The exact patched version is not specified in the available data; consult the official WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/core-web-vitals-pagespeed-booster/vulnerability/wordpress-core-web-vitals-pagespeed-booster-plugin-1-0-27-broken-access-control-vulnerability?_s_id=cve) for the minimum safe version. As a temporary measure pending update, administrators should monitor plugin usage and restrict access to plugin functions via WordPress permission management until patched.

Share

CVE-2025-62144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy