CVE-2025-62931
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Missing Authorization vulnerability in microsoftstart MSN Partner Hub microsoft-start allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MSN Partner Hub: from n/a through <= 2.9.
Analysis
Broken access control in MSN Partner Hub WordPress plugin allows authenticated attackers with low privileges to bypass authorization controls and gain unauthorized access to high-privilege functions. This CWE-862 missing authorization flaw affects versions through 2.9, enabling authenticated users to execute actions beyond their intended permission level. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Technical Context
This vulnerability stems from CWE-862 (Missing Authorization), where the MSN Partner Hub WordPress plugin fails to properly verify user permissions before granting access to privileged functions. The flaw represents a broken access control implementation where authentication alone is verified, but subsequent authorization checks for specific actions or resources are absent or incorrectly configured. This allows low-privileged authenticated users to escalate their access horizontally or vertically within the plugin's functionality. WordPress plugins commonly suffer from this vulnerability class when developers implement authentication hooks but neglect to add capability checks (e.g., current_user_can()) before executing sensitive operations such as configuration changes, data modification, or administrative functions. The affected component is the MSN Partner Hub plugin, a Microsoft-affiliated WordPress extension for content syndication and partnership management.
Affected Products
The vulnerability affects the MSN Partner Hub WordPress plugin developed by microsoftstart, specifically all versions from initial release through version 2.9 inclusive. The plugin is identified in the WordPress plugin repository as microsoft-start and is used for integrating Microsoft Start (formerly MSN) content syndication and partner management capabilities into WordPress sites. According to the Patchstack vulnerability database reference, this affects the wordpress-msn-partner-hub-plugin through at least version 2.8.7 as documented, with version 2.9 confirmed as the upper boundary of affected versions. Organizations running any version of this plugin at or below 2.9 should consider themselves affected regardless of WordPress core version, as this is a plugin-specific authorization flaw.
Remediation
Upgrade the MSN Partner Hub WordPress plugin to version 2.9.1 or later if available, as version 2.9 is confirmed vulnerable. Site administrators should immediately verify their installed plugin version via the WordPress admin dashboard under Plugins. If a patched version is not yet available through the WordPress plugin repository, temporary risk mitigation includes restricting plugin access to only fully-trusted administrator accounts, removing lower-privileged user roles from sites where this plugin is active, or deactivating the plugin entirely until a verified patch is released. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/microsoft-start/vulnerability/wordpress-msn-partner-hub-plugin-2-8-7-broken-access-control-vulnerability for the most current patch status and vendor guidance. Implement WordPress security best practices including role-based access control auditing, principle of least privilege for user accounts, and Web Application Firewall rules to detect authorization bypass attempts if immediate patching is not feasible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today