Skip to main content

GS Plugins GS Portfolio CVE-2025-62755

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in GS Plugins GS Portfolio for Envato gs-envato-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GS Portfolio for Envato: from n/a through <= 1.4.2.

AnalysisAI

Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.

Technical ContextAI

GS Portfolio for Envato is a WordPress plugin that integrates Envato portfolio functionality into WordPress sites. The vulnerability is rooted in CWE-862 (Missing Authorization), a class of access control flaws where the application fails to properly verify that users have the required permissions before granting access to sensitive operations or data. WordPress plugins are particularly susceptible to authorization bypass when they do not consistently check user capabilities (using WordPress's native current_user_can() function) before processing requests that interact with protected resources, API endpoints, or admin functionality. This flaw allows an attacker to circumvent the plugin's intended security boundaries.

Affected ProductsAI

GS Portfolio for Envato WordPress plugin is affected in versions from an unspecified baseline through version 1.4.2 inclusive. The plugin is available on WordPress.org and Envato marketplaces. Affected installations include any site running GS Portfolio for Envato plugin version 1.4.2 or earlier. Additional version information and CPE identifiers are not provided in the available data.

RemediationAI

Immediately upgrade GS Portfolio for Envato to a version higher than 1.4.2; the vendor advisory should specify the patched version available. Site administrators should access their WordPress plugin management interface, navigate to the GS Portfolio for Envato plugin listing, and update to the latest available release. Verify the plugin changelog at the WordPress.org plugin directory or the official vendor website to confirm that the update addresses this authorization vulnerability. Until an upgrade is available, consider temporarily disabling the plugin if it is not actively required; alternatively, restrict access to its functionality through additional WordPress security plugins or Web Application Firewall rules. Consult the Patchstack vulnerability database entry referenced in the intelligence data for any additional mitigation guidance from the plugin maintainers.

Share

CVE-2025-62755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy