CVE-2025-64247

MEDIUM
2025-12-16 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 6.5

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.5.1.

Analysis

Missing authorization in the WordPress Read More & Accordion plugin (expand-maker) versions 3.5.5.1 and earlier allows authenticated users to access restricted functionality through incorrectly configured access controls, potentially revealing sensitive information. The vulnerability requires user authentication and network access but carries a CVSS score of 6.5 due to high confidentiality impact, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified at time of analysis.

Technical Context

The vulnerability is classified as CWE-862 (Missing Authorization), a flaw in WordPress plugin access control mechanisms that fails to properly enforce permission checks before exposing sensitive data or functionality. The affected product, Read More & Accordion (expand-maker), is a WordPress plugin that provides content expansion and accordion UI components. The root cause involves inadequately configured security levels that allow authenticated users with lower privilege levels to bypass intended authorization restrictions and access resources or data that should require elevated permissions. This is distinct from authentication bypass-the user is authenticated, but authorization checks are missing or misconfigured.

Affected Products

Read More & Accordion plugin (expand-maker) versions 3.5.5.1 and earlier are affected. The vulnerability impacts all installations from version 1.0 through 3.5.5.1. WordPress installations with this plugin active should be upgraded immediately. Further details and advisory information are available at https://patchstack.com/database/Wordpress/Plugin/expand-maker/vulnerability/wordpress-read-more-accordion-plugin-3-5-4-1-broken-access-control-vulnerability?_s_id=cve.

Remediation

Upgrade Read More & Accordion plugin to the patched version immediately after vendor release. Website administrators should update the plugin through the WordPress dashboard (Plugins > Installed Plugins > Updates) or manually via the WordPress.org plugin repository. If a patched version is not yet available from the vendor, restrict plugin access by limiting user registrations or using role-based access control plugins to ensure only trusted users can authenticate. Monitor user activity and review user roles to identify any unauthorized access attempts. For additional guidance and confirmation of available patch versions, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/expand-maker/vulnerability/wordpress-read-more-accordion-plugin-3-5-4-1-broken-access-control-vulnerability?_s_id=cve.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-64247 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy