CVE-2025-62755

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in GS Plugins GS Portfolio for Envato gs-envato-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GS Portfolio for Envato: from n/a through <= 1.4.2.

Analysis

Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.

Technical Context

GS Portfolio for Envato is a WordPress plugin that integrates Envato portfolio functionality into WordPress sites. The vulnerability is rooted in CWE-862 (Missing Authorization), a class of access control flaws where the application fails to properly verify that users have the required permissions before granting access to sensitive operations or data. WordPress plugins are particularly susceptible to authorization bypass when they do not consistently check user capabilities (using WordPress's native `current_user_can()` function) before processing requests that interact with protected resources, API endpoints, or admin functionality. This flaw allows an attacker to circumvent the plugin's intended security boundaries.

Affected Products

GS Portfolio for Envato WordPress plugin is affected in versions from an unspecified baseline through version 1.4.2 inclusive. The plugin is available on WordPress.org and Envato marketplaces. Affected installations include any site running GS Portfolio for Envato plugin version 1.4.2 or earlier. Additional version information and CPE identifiers are not provided in the available data.

Remediation

Immediately upgrade GS Portfolio for Envato to a version higher than 1.4.2; the vendor advisory should specify the patched version available. Site administrators should access their WordPress plugin management interface, navigate to the GS Portfolio for Envato plugin listing, and update to the latest available release. Verify the plugin changelog at the WordPress.org plugin directory or the official vendor website to confirm that the update addresses this authorization vulnerability. Until an upgrade is available, consider temporarily disabling the plugin if it is not actively required; alternatively, restrict access to its functionality through additional WordPress security plugins or Web Application Firewall rules. Consult the Patchstack vulnerability database entry referenced in the intelligence data for any additional mitigation guidance from the plugin maintainers.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62755 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy