Skip to main content

Google CVE-2025-64632

MEDIUM
Missing Authorization (CWE-862)
2025-12-16 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.22.

AnalysisAI

Unauthenticated remote attackers can access sensitive sitemap data in Google XML Sitemaps WordPress plugin versions through 4.1.22 due to missing authorization checks on sitemap endpoints. The vulnerability allows unauthorized information disclosure of site structure and indexed pages without requiring authentication or user interaction. While the CVSS score is moderate (5.3), real-world exploitation probability is very low (EPSS 0.04th percentile), suggesting this is primarily an information disclosure risk rather than an active threat.

Technical ContextAI

Google XML Sitemaps (google-sitemap-generator) is a widely-deployed WordPress plugin that generates and manages XML sitemaps for search engine indexing. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper access control lists on sitemap generation and retrieval endpoints. Attackers can directly access sitemap data without authentication because the plugin does not validate user permissions before serving sitemap files or metadata. This is a classic broken access control flaw in WordPress plugin architecture where public-facing functions lack capability checks via current_user_can() or similar authorization mechanisms. The affected CPE scope includes all WordPress plugin installations running google-sitemap-generator versions up to and including 4.1.22.

Affected ProductsAI

Google XML Sitemaps (google-sitemap-generator) WordPress plugin is affected in all versions from an unspecified baseline through version 4.1.22 inclusive. The plugin is hosted on the WordPress.org plugin repository and targets WordPress core installations. Affected CPE: cpe:2.3:a:auctollo:google-sitemap-generator:*:*:*:*:*:wordpress:*:* with versions <=4.1.22. Additional vendor advisory details are available at https://patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability?_s_id=cve per the Patchstack security research referenced.

RemediationAI

Immediately upgrade Google XML Sitemaps to a patched version beyond 4.1.22; vendors should verify the exact fixed version in the official WordPress plugin repository or Patchstack advisory. Site administrators should navigate to WordPress dashboard > Plugins > Google XML Sitemaps and click Update if a newer version is available. If a patched version beyond 4.1.22 is not yet released, temporarily restrict direct access to sitemap files via web server configuration (e.g., .htaccess rules limiting /sitemap*.xml requests to authenticated users or search engine user agents only) while awaiting vendor patch release. Verify the plugin repository and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/) for confirmation of fix availability and exact patched version numbers before deploying.

Share

CVE-2025-64632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy