CVE-2025-62993

MEDIUM
2025-12-09 [email protected]
WordPress PHP Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

DescriptionNVD

Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notification for Telegram: from n/a through <= 3.5.

AnalysisAI

Missing authorization controls in the Notification for Telegram WordPress plugin through version 3.5 allow authenticated users to modify notification settings they should not have access to, resulting in limited integrity impact. The vulnerability requires valid user credentials (PR:L in CVSS vector) and affects the plugin's access control enforcement rather than authentication bypass. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a low-probability real-world risk despite the authentication bypass tag.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where an application fails to properly enforce access control checks on user actions. In the Notification for Telegram plugin, this manifests as incorrectly configured access control security levels that do not properly validate whether an authenticated user should have permission to access or modify specific notification settings. The plugin is a WordPress component (CPE identifies it as a WordPress plugin managed through the Patchstack vulnerability database) that integrates Telegram messaging capabilities. The flaw allows privilege escalation at the authorization layer-an authenticated user can perform actions beyond their intended scope, though without full administrative capability (hence the CVSS score of 4.3 and integrity-only impact C:N/I:L/A:N).

Affected ProductsAI

The Notification for Telegram WordPress plugin published by rainafarai is affected in versions from initial release through and including version 3.5. The plugin is distributed via WordPress.org and monitored by Patchstack (CPE reference: WordPress/Plugin/notification-for-telegram). All prior versions up to and including 3.5 contain the missing authorization controls. Specific affected version ranges and platform details are available in the Patchstack vulnerability database entry linked in the references.

RemediationAI

Users of the Notification for Telegram plugin should upgrade to a version released after 3.5 that addresses the authorization control flaws; the exact patched version number is not explicitly stated in the available data, but Patchstack advisory references indicate a patch is available. The remediation should be applied by accessing the WordPress plugin update mechanism and installing the latest available version of Notification for Telegram. As an immediate workaround pending patch deployment, site administrators should restrict plugin access by limiting user roles that can modify notification settings to only trusted administrators, leveraging WordPress native role and capability management systems. Detailed remediation guidance is available at https://patchstack.com/database/Wordpress/Plugin/notification-for-telegram/vulnerability/wordpress-notification-for-telegram-plugin-3-4-7-broken-access-control-vulnerability?_s_id=cve.

Share

CVE-2025-62993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy