CVE-2025-62888

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Marco Milesi WP Attachments wp-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through <= 5.2.

Analysis

Missing authorization in Marco Milesi WP Attachments WordPress plugin through version 5.2 allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels to access protected attachments. The vulnerability stems from broken access control validation (CWE-862) and carries a low exploitation probability (EPSS 0.05%, 17th percentile), with no confirmed public exploit code or active exploitation documented at analysis time.

Technical Context

The WP Attachments plugin for WordPress implements access control mechanisms to restrict attachment visibility based user roles and permissions. The vulnerability exists in the authorization logic that validates whether a user has sufficient privileges to access protected attachments. CWE-862 (Missing Authorization) indicates the plugin fails to properly enforce access control checks before returning protected resources, allowing bypass of the intended security model. This is a common class of vulnerability in WordPress plugins where attachment metadata or direct file access endpoints lack proper capability verification against WordPress user roles and permissions.

Affected Products

Marco Milesi WP Attachments WordPress plugin versions through and including 5.2 are affected. The plugin is available on WordPress.org and is identified by the CPE context of a WordPress plugin artifact. Patchstack has documented the vulnerability in their WordPress plugin vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wp-attachments/vulnerability/wordpress-wp-attachments-plugin-5-2-broken-access-control-vulnerability.

Remediation

Update WP Attachments to a patched version beyond 5.2 immediately upon availability. Administrators should navigate to the WordPress dashboard, go to Plugins, and update WP Attachments to the latest available version. Until a patch is released, review and verify attachment access control settings in the plugin configuration to ensure only intended users can access protected files. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-attachments/vulnerability/wordpress-wp-attachments-plugin-5-2-broken-access-control-vulnerability provides additional remediation guidance and should be consulted for specific configuration recommendations.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-62888 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy