CVE-2025-64632

MEDIUM
2025-12-16 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.22.

Analysis

Unauthenticated remote attackers can access sensitive sitemap data in Google XML Sitemaps WordPress plugin versions through 4.1.22 due to missing authorization checks on sitemap endpoints. The vulnerability allows unauthorized information disclosure of site structure and indexed pages without requiring authentication or user interaction. While the CVSS score is moderate (5.3), real-world exploitation probability is very low (EPSS 0.04th percentile), suggesting this is primarily an information disclosure risk rather than an active threat.

Technical Context

Google XML Sitemaps (google-sitemap-generator) is a widely-deployed WordPress plugin that generates and manages XML sitemaps for search engine indexing. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper access control lists on sitemap generation and retrieval endpoints. Attackers can directly access sitemap data without authentication because the plugin does not validate user permissions before serving sitemap files or metadata. This is a classic broken access control flaw in WordPress plugin architecture where public-facing functions lack capability checks via current_user_can() or similar authorization mechanisms. The affected CPE scope includes all WordPress plugin installations running google-sitemap-generator versions up to and including 4.1.22.

Affected Products

Google XML Sitemaps (google-sitemap-generator) WordPress plugin is affected in all versions from an unspecified baseline through version 4.1.22 inclusive. The plugin is hosted on the WordPress.org plugin repository and targets WordPress core installations. Affected CPE: cpe:2.3:a:auctollo:google-sitemap-generator:*:*:*:*:*:wordpress:*:* with versions <=4.1.22. Additional vendor advisory details are available at https://patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability?_s_id=cve per the Patchstack security research referenced.

Remediation

Immediately upgrade Google XML Sitemaps to a patched version beyond 4.1.22; vendors should verify the exact fixed version in the official WordPress plugin repository or Patchstack advisory. Site administrators should navigate to WordPress dashboard > Plugins > Google XML Sitemaps and click Update if a newer version is available. If a patched version beyond 4.1.22 is not yet released, temporarily restrict direct access to sitemap files via web server configuration (e.g., .htaccess rules limiting /sitemap*.xml requests to authenticated users or search engine user agents only) while awaiting vendor patch release. Verify the plugin repository and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/) for confirmation of fix availability and exact patched version numbers before deploying.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-64632 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy