CVE-2025-63038
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through <= 7.40.
AnalysisAI
Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a category of access control failures where the application fails to properly verify that users have permission to access restricted resources or perform privileged operations. The WP Custom Admin Interface plugin, designed to customize WordPress administrative interfaces, implements insufficient authorization checks when handling user requests. This allows bypassing intended security level restrictions that should enforce role-based or capability-based access controls. The plugin processes requests without adequately validating whether the requester possesses the necessary permissions, enabling exploitation of administrative functions that should be restricted.
Affected ProductsAI
Northern Beaches Websites WP Custom Admin Interface WordPress plugin, all versions from unspecified baseline through version 7.40 and earlier. The plugin is distributed through WordPress.org plugin repository and affects any WordPress installation with this plugin installed and activated. CPE specificity is limited to wordpress_plugin:wp-custom-admin-interface. Further details are available in the Patchstack vulnerability database entry.
RemediationAI
Update Northern Beaches Websites WP Custom Admin Interface plugin to version 7.41 or later, which addresses the missing authorization vulnerability by implementing proper access control validation. Immediately after updating, review and verify that user roles and capabilities are correctly enforced within the plugin's administrative interface. As an interim measure pending update availability, disable or deactivate the WP Custom Admin Interface plugin if it is not critical to operations. Site administrators should review access logs for any unauthorized administrative activity that may have occurred while the plugin was vulnerable. The patch and additional details are available at https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today