CVE-2025-62977

MEDIUM
2025-10-27 [email protected]
WordPress PHP Authentication Bypass
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 5.3

DescriptionNVD

Missing Authorization vulnerability in 沃之涛 百度站长SEO合集(支持百度/神马/Bing/头条推送) baiduseo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 百度站长SEO合集(支持百度/神马/Bing/头条推送): from n/a through <= 2.1.4.

AnalysisAI

Missing authorization controls in the Baidu SEO Collection WordPress plugin versions up to 2.1.4 allow unauthenticated remote attackers to access restricted functionality and retrieve sensitive information without proper permission checks. The vulnerability affects the plugin's core access control mechanisms, enabling unauthorized information disclosure with a CVSS score of 5.3. EPSS exploitation probability is low at 0.03%, and no active exploitation has been confirmed.

Technical ContextAI

The vulnerability stems from a broken access control implementation (CWE-862: Missing Authorization) in the Baidu SEO Collection WordPress plugin, which provides integration with multiple search engine submission platforms including Baidu, Sogou, Bing, and ByteDance. WordPress plugins executing administrative or sensitive functions must properly validate user capabilities before exposing those functions to the HTTP request handler. This plugin fails to enforce Access Control Lists (ACLs) on certain endpoints, allowing the application to expose functionality that should be restricted to authenticated administrators or authorized users. The affected product is a server-side WordPress plugin that processes requests without adequate capability checks, creating an information disclosure vector.

Affected ProductsAI

The Baidu SEO Collection WordPress plugin (baiduseo), distributed through the Patchstack vulnerability database, is affected in versions from an unspecified baseline through version 2.1.4. The plugin supports integration with multiple search engine platforms (Baidu, Sogou/Shenma, Bing, and ByteDance/Toutiao) and is hosted as a WordPress plugin. The specific CPE identifier for WordPress plugins typically follows wordpress:plugin:baiduseo, with affected versions <= 2.1.4. Vulnerability details are available via Patchstack database reference.

RemediationAI

Update the Baidu SEO Collection plugin to version 2.1.5 or later, which implements proper authorization checks for restricted functionality. WordPress administrators should immediately upgrade through the WordPress plugin dashboard or manually download the patched version from the official plugin repository. In the interim, implement network-level access restrictions to limit exposure of the WordPress admin interface to trusted IP addresses, or consider disabling the plugin if it is not actively in use. Verify that all user roles and capabilities are correctly configured within WordPress to prevent unauthorized access to sensitive plugin settings. The vulnerability details and patch availability can be confirmed through the Patchstack advisory.

Share

CVE-2025-62977 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy