Skip to main content

CVE-2025-62147

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in nikmelnik Realbig realbig-media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through <= 1.1.3.

AnalysisAI

Missing authorization controls in nikmelnik Realbig media WordPress plugin versions up to 1.1.3 allow unauthenticated attackers to bypass access control restrictions and exploit misconfigured security levels, potentially exposing restricted content or functionality. The vulnerability is classified as a broken access control issue (CWE-862) with low exploitation probability (EPSS 0.04%) and no public exploit code identified at the time of analysis.

Technical ContextAI

The vulnerability stems from inadequate authorization checks in the Realbig media plugin, falling under CWE-862 (Missing Authorization). This WordPress plugin plugin likely implements access control mechanisms to restrict certain media assets or features to specific user roles or authenticated users, but the authorization logic either fails to validate permissions correctly or is entirely absent from critical code paths. The underlying issue is a classic broken access control flaw where the application does not properly verify that a user has permission to access requested resources before granting access. This type of vulnerability often manifests when authorization checks are missing from admin-accessible endpoints, AJAX handlers, or REST API routes.

Affected ProductsAI

nikmelnik Realbig media WordPress plugin versions from an unspecified baseline through version 1.1.3 inclusive are affected. The vulnerable component is the core access control implementation within the plugin. The plugin is available on the WordPress plugin repository and is referenced in the Patchstack vulnerability database at the provided URL.

RemediationAI

WordPress administrators should immediately upgrade nikmelnik Realbig media plugin to a version newer than 1.1.3 when available. Until a patched version is released, administrators should disable or deactivate the plugin to prevent unauthorized access exploitation. Detailed remediation guidance is available in the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/realbig-media/vulnerability/wordpress-realbig-plugin-1-1-3-broken-access-control-vulnerability. Site administrators should review access logs to determine whether the vulnerability was exploited before patching.

Share

CVE-2025-62147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy