Skip to main content

CVE-2025-62150

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in themesawesome History Timeline timeline-awesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects History Timeline: from n/a through <= 1.0.6.

AnalysisAI

Missing authorization controls in themesawesome History Timeline WordPress plugin versions through 1.0.6 permit exploitation of incorrectly configured access control, allowing unauthenticated or low-privileged users to bypass security restrictions and access protected functionality. The vulnerability stems from improper enforcement of access control checks (CWE-862), classified as a broken access control flaw. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood in real-world deployments.

Technical ContextAI

The vulnerability exists in the themesawesome History Timeline WordPress plugin, which provides timeline display and management functionality. The root cause is CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before allowing access to sensitive operations or data. WordPress plugins are server-side PHP applications loaded into the wp-content/plugins directory; broken access control flaws in WordPress plugins typically manifest when nonces are missing, role checks are absent, or capability verification is incomplete in AJAX handlers or REST endpoints. The affected CPE context is WordPress plugin ecosystem (cpe:2.25:a:themesawesome:history_timeline), where authorization bypass vulnerabilities can expose timeline creation, editing, deletion, or viewing capabilities to unauthorized users.

Affected ProductsAI

themesawesome History Timeline WordPress plugin in versions up to and including 1.0.6. The vulnerability affects all installations of this plugin that have not been updated beyond version 1.0.6. See Patchstack advisory for version distribution and deployment statistics.

RemediationAI

Update themesawesome History Timeline plugin to the latest available version beyond 1.0.6 immediately. Verify the exact patched version number from the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/timeline-awesome/vulnerability/wordpress-history-timeline-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve) or the official plugin repository. As an interim mitigation, restrict plugin access via WordPress user role management and verify that timeline functionality is only accessible to intended user roles via the WordPress admin interface.

Share

CVE-2025-62150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy