CVE-2025-63038

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through <= 7.40.

Analysis

Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.

Technical Context

The vulnerability is rooted in CWE-862 (Missing Authorization), a category of access control failures where the application fails to properly verify that users have permission to access restricted resources or perform privileged operations. The WP Custom Admin Interface plugin, designed to customize WordPress administrative interfaces, implements insufficient authorization checks when handling user requests. This allows bypassing intended security level restrictions that should enforce role-based or capability-based access controls. The plugin processes requests without adequately validating whether the requester possesses the necessary permissions, enabling exploitation of administrative functions that should be restricted.

Affected Products

Northern Beaches Websites WP Custom Admin Interface WordPress plugin, all versions from unspecified baseline through version 7.40 and earlier. The plugin is distributed through WordPress.org plugin repository and affects any WordPress installation with this plugin installed and activated. CPE specificity is limited to wordpress_plugin:wp-custom-admin-interface. Further details are available in the Patchstack vulnerability database entry.

Remediation

Update Northern Beaches Websites WP Custom Admin Interface plugin to version 7.41 or later, which addresses the missing authorization vulnerability by implementing proper access control validation. Immediately after updating, review and verify that user roles and capabilities are correctly enforced within the plugin's administrative interface. As an interim measure pending update availability, disable or deactivate the WP Custom Admin Interface plugin if it is not critical to operations. Site administrators should review access logs for any unauthorized administrative activity that may have occurred while the plugin was vulnerable. The patch and additional details are available at https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-63038 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy