CVE-2025-62999

MEDIUM
2025-12-09 [email protected]
WordPress PHP Authentication Bypass
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.4

DescriptionNVD

Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Litho Addons: from n/a through <= 3.5.

AnalysisAI

Missing authorization in themezaa Litho Addons for WordPress (versions through 3.5) allows authenticated users to bypass access controls and gain unauthorized read/write access to sensitive data. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing functionality. With an EPSS score of 0.04% and CVSS 5.4, exploitation requires valid authentication but no advanced attack complexity; this represents a moderate privilege escalation risk for multi-user WordPress installations.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to enforce proper authorization checks before granting access to sensitive operations or data. The Litho Addons plugin, a WordPress theme customization toolkit, implements insufficient permission validation in its administrative or user-facing functions. Authenticated users with low-level privileges (indicated by PR:L in the CVSS vector) can exploit this by directly accessing or manipulating protected resources without proper role-based access control (RBAC) validation. The network attack vector (AV:N) and low complexity (AC:L) indicate the flaw is trivial to exploit once authentication is obtained-likely via direct HTTP requests to vulnerable endpoints without requiring additional user interaction (UI:N).

Affected ProductsAI

themezaa Litho Addons WordPress plugin versions 3.5 and earlier are affected. The plugin is distributed via WordPress plugin repositories and is identified under the Litho Addons product family. Exact version cutoff is stated as through version 3.5 with no specified minimum affected version. Users running any version up to and including 3.5 should apply remediation immediately.

RemediationAI

Upgrade themezaa Litho Addons to a version newer than 3.5 (exact patched version number not provided in available data; check the Patchstack advisory and official WordPress plugin repository for the latest release). Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Litho Addons, and apply the available update. If a patched version is not yet available, temporarily restrict plugin access by disabling it or limiting user roles with edit_theme_options capabilities until an official update is released. For additional guidance and confirmation of the patched version, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerability?_s_id=cve.

Share

CVE-2025-62999 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy