CVE-2025-63004

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility all-in-one-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through <= 1.15.

Analysis

Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.

Technical Context

All in One Accessibility is a WordPress plugin that implements accessibility features for websites. The vulnerability resides in the plugin's access control implementation, specifically in how it validates user permissions before granting access to sensitive operations or configuration settings. CWE-862 (Missing Authorization) indicates the plugin fails to perform proper authorization checks-it may verify user identity (authentication) but does not verify that the authenticated or unauthenticated user has permission (authorization) to perform the requested action. This is a common pattern in WordPress plugins where actions or AJAX endpoints lack proper capability checks (e.g., missing `current_user_can()` validations), allowing privilege escalation or unauthorized access to administrative or restricted features.

Affected Products

All in One Accessibility WordPress plugin from version 1.0 through version 1.15 is affected. The plugin is distributed through the WordPress.org plugin repository and is identified by the CPE or WordPress plugin identifier all-in-one-accessibility. Refer to the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/all-in-one-accessibility/vulnerability/wordpress-all-in-one-accessibility-plugin-1-14-broken-access-control-vulnerability for the vendor advisory and technical details.

Remediation

Site administrators should immediately update All in One Accessibility to the latest patched version released by Skynet Technologies USA LLC after version 1.15. Check the WordPress plugin update mechanism (Dashboard > Plugins) for availability of a newer version, or visit the official plugin page at https://wordpress.org/plugins/all-in-one-accessibility/. If a patched version is not yet available, temporarily deactivate the plugin until an update is released. No configuration-level workarounds are documented; the fix requires a code update from the vendor. Consult the Patchstack advisory for additional context and confirmation of patch availability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-63004 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy