Skip to main content

CVE-2025-66149

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove UnGrabber ungrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through <= 3.1.3.

AnalysisAI

Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.

Technical ContextAI

The vulnerability is rooted in CWE-862 (Missing Authorization), a weakness where software fails to enforce access control checks on sensitive operations or resources. In the context of the UnGrabber WordPress plugin, this indicates that certain functionality or endpoints lack proper authorization checks to verify user privileges before allowing access. This is distinct from authentication bypass-the plugin may verify identity but fails to validate that the authenticated (or unauthenticated) user has permission to perform the requested action. WordPress plugins are particularly susceptible to this class of vulnerability when custom API endpoints, administrative functions, or data-retrieval operations omit capability checks (e.g., missing current_user_can() calls in WordPress context).

Affected ProductsAI

UnGrabber plugin by merkulove affects all versions from the earliest release through version 3.1.3 and earlier. The WordPress plugin is available through the official WordPress plugin repository and is identified by the CPE context of a WordPress plugin. Users of any version up to and including 3.1.3 are affected. Additional details are available in the Patchstack vulnerability database entry.

RemediationAI

Update merkulove UnGrabber to a version later than 3.1.3 (exact patched version number not specified in available advisories). Users should immediately upgrade the plugin through the WordPress admin dashboard (Plugins > Installed Plugins) or manually upload the latest version. Until an update is available and deployed, site administrators should restrict access to the UnGrabber plugin functionality through WordPress user role and capability management, or temporarily disable the plugin if it is not critical to site operations. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ungrabber/vulnerability/wordpress-ungrabber-plugin-3-1-3-broken-access-control-vulnerability) for definitive patch version information and additional mitigation guidance.

Share

CVE-2025-66149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy