Skip to main content

Skynet Technologies USA LLC All CVE-2025-63004

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility all-in-one-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through <= 1.15.

AnalysisAI

Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

All in One Accessibility is a WordPress plugin that implements accessibility features for websites. The vulnerability resides in the plugin's access control implementation, specifically in how it validates user permissions before granting access to sensitive operations or configuration settings. CWE-862 (Missing Authorization) indicates the plugin fails to perform proper authorization checks-it may verify user identity (authentication) but does not verify that the authenticated or unauthenticated user has permission (authorization) to perform the requested action. This is a common pattern in WordPress plugins where actions or AJAX endpoints lack proper capability checks (e.g., missing current_user_can() validations), allowing privilege escalation or unauthorized access to administrative or restricted features.

Affected ProductsAI

All in One Accessibility WordPress plugin from version 1.0 through version 1.15 is affected. The plugin is distributed through the WordPress.org plugin repository and is identified by the CPE or WordPress plugin identifier all-in-one-accessibility. Refer to the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/all-in-one-accessibility/vulnerability/wordpress-all-in-one-accessibility-plugin-1-14-broken-access-control-vulnerability for the vendor advisory and technical details.

RemediationAI

Site administrators should immediately update All in One Accessibility to the latest patched version released by Skynet Technologies USA LLC after version 1.15. Check the WordPress plugin update mechanism (Dashboard > Plugins) for availability of a newer version, or visit the official plugin page at https://wordpress.org/plugins/all-in-one-accessibility/. If a patched version is not yet available, temporarily deactivate the plugin until an update is released. No configuration-level workarounds are documented; the fix requires a code update from the vendor. Consult the Patchstack advisory for additional context and confirmation of patch availability.

Share

CVE-2025-63004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy