CVE-2025-63022

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in topdevs.net Simple Like Page simple-facebook-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through <= 1.5.3.

Analysis

Simple Like Page WordPress plugin versions 1.5.3 and earlier allows unauthenticated attackers to bypass access controls and perform unauthorized actions through incorrectly configured authentication checks, enabling exploitation of missing authorization enforcement in plugin functionality. The vulnerability affects the widely-deployed Simple Like Page plugin and has low estimated exploitation probability (EPSS 0.04%) but represents a classic access control weakness that could permit unauthorized modification of plugin data or settings.

Technical Context

Simple Like Page is a WordPress plugin that manages social engagement features. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the plugin fails to implement proper permission checks before performing sensitive operations. The plugin likely exposes administrative or user-modifying functionality via WordPress REST API endpoints, AJAX handlers, or direct form submissions without verifying that the requesting user has the necessary capabilities (admin, moderator, or appropriate role). This is a common WordPress security issue where developers implement authentication (verifying who you are) but omit authorization (verifying what you're allowed to do). The affected product is identified via CPE mapping to the WordPress Simple Like Page plugin through version 1.5.3.

Affected Products

Simple Like Page WordPress plugin versions through 1.5.3 are affected, as confirmed by the vulnerability reference in the Patchstack WordPress plugin database. The plugin is hosted on the WordPress.org plugin repository and likely deployed across thousands of WordPress installations. Exact version ranges with CPE mapping are available via the Patchstack vulnerability database entry referenced in the advisory.

Remediation

Update Simple Like Page plugin to version 1.5.4 or later, which addresses the missing authorization vulnerability by implementing proper access control checks. Users should navigate to their WordPress dashboard, select Plugins > Installed Plugins, locate Simple Like Page, and click Update if available. If a patched version is not yet available in the WordPress plugin repository, temporarily deactivate the plugin to prevent exploitation. For additional technical details and advisory information, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/simple-facebook-plugin/vulnerability/wordpress-simple-like-page-plugin-1-5-3-broken-access-control-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-63022 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy