CVE-2025-68861
Lifecycle Timeline
2Description
Missing Authorization vulnerability in pluginoptimizer Plugin Optimizer plugin-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin Optimizer: from n/a through <= 1.3.7.
Analysis
Missing authorization in Plugin Optimizer WordPress plugin through version 1.3.7 allows attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from improper authentication validation (CWE-862), enabling attackers to bypass security restrictions without proper administrative privileges. While EPSS scoring (0.06%, 17th percentile) indicates low exploitation probability, the authentication bypass classification warrants prompt patching.
Technical Context
Plugin Optimizer is a WordPress plugin designed to optimize WordPress site performance and configuration. The vulnerability involves a missing authorization check in one or more plugin functions, classified under CWE-862 (Missing Authorization). This allows attackers to call privileged functions or access restricted resources without satisfying the expected permission validation logic. WordPress plugins rely on capability checks using functions like current_user_can() to enforce role-based access control; this vulnerability indicates such checks are either absent or incorrectly implemented in certain code paths, allowing unauthenticated or low-privileged users to escalate their access.
Affected Products
Plugin Optimizer (WordPress plugin) versions from an unspecified baseline through 1.3.7 are affected. The exact initial affected version is not documented. The plugin is distributed via the WordPress plugin repository and identified by the CPE context of WordPress plugin-optimizer. Affected users should identify their installed version in the WordPress admin dashboard (Plugins > Installed Plugins) and compare against the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/plugin-optimizer/vulnerability/wordpress-plugin-optimizer-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve.
Remediation
Update Plugin Optimizer to a version newer than 1.3.7; the vendor advisory does not specify the exact patched version number, so users should download the latest available release from the WordPress plugin repository or the vendor's website. To remediate, log in to the WordPress dashboard, navigate to Plugins > Installed Plugins, locate Plugin Optimizer, and click Update if available; if no update is visible, manually download the latest version from https://patchstack.com/database/Wordpress/Plugin/plugin-optimizer/vulnerability/wordpress-plugin-optimizer-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve or the official plugin page. As a temporary workaround until patching, restrict plugin administrator capabilities to trusted users only via WordPress user role management. Verify after upgrade that the authorization checks are properly enforced by testing access to plugin-specific features with non-administrator user roles.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today