CVE-2025-62144

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster core-web-vitals-pagespeed-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through <= 1.0.28.

Analysis

Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.

Technical Context

The Core Web Vitals & PageSpeed Booster plugin (CPE: wordpress:core-web-vitals-&-pagespeed-booster) is a WordPress plugin designed to optimize web performance metrics and PageSpeed scores. The vulnerability roots in CWE-862 (Missing Authorization), which occurs when access control checks are either absent or improperly implemented in the plugin's administrative or sensitive functions. This allows the application to assume all incoming requests are authorized without verifying the user's privilege level, role, or session validity. WordPress plugins are particularly susceptible to this class of vulnerability when they fail to properly use WordPress's capability checking functions (such as current_user_can() or check_admin_referer()) on AJAX endpoints, REST API routes, or direct function calls accessible via low-privilege or unauthenticated requests.

Affected Products

Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin from initial release through version 1.0.28 is affected. The plugin is available on the WordPress.org plugin repository as core-web-vitals-pagespeed-booster. Detailed vulnerability information and patch status can be found in the Patchstack vulnerability database entry referenced in the advisory.

Remediation

Update Mohammed Kaludi Core Web Vitals & PageSpeed Booster plugin to a version newer than 1.0.28 immediately. The exact patched version is not specified in the available data; consult the official WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/core-web-vitals-pagespeed-booster/vulnerability/wordpress-core-web-vitals-pagespeed-booster-plugin-1-0-27-broken-access-control-vulnerability?_s_id=cve) for the minimum safe version. As a temporary measure pending update, administrators should monitor plugin usage and restrict access to plugin functions via WordPress permission management until patched.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62144 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy