CVE-2025-68995

MEDIUM
2025-12-30 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 30, 2025 - 11:15 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Premio My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through <= 2.3.3.

Analysis

Missing authorization in Premio My Sticky Elements plugin (version 2.3.3 and earlier) allows authenticated users to modify data they should not have access to due to incorrectly configured access control security levels. The vulnerability requires an authenticated attacker with low privileges and carries a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%). No public exploit code or active exploitation has been identified.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to properly enforce authorization checks before allowing sensitive operations. In the My Sticky Elements WordPress plugin, the access control security levels are misconfigured, enabling authenticated users with limited privileges to bypass intended restrictions and modify data outside their authorized scope. The plugin runs in the WordPress ecosystem where user roles and capabilities are fundamental to security; a broken authorization implementation undermines WordPress's permission model and allows privilege escalation through data manipulation.

Affected Products

Premio My Sticky Elements WordPress plugin from version 2.3.3 and earlier is affected. The plugin is distributed through the official WordPress plugin repository and installed via the wp-plugins ecosystem. Detailed advisory information is available from Patchstack's vulnerability database.

Remediation

Update the My Sticky Elements plugin to a version newer than 2.3.3, which should contain corrected access control configurations. Organizations should immediately review their WordPress user roles and ensure that only trusted administrators have plugin management access. The Patchstack advisory should be consulted for the exact patched version number and any interim workarounds prior to updating. Users running version 2.3.3 or earlier on WordPress installations with multiple user accounts should prioritize this update to prevent low-privilege users from modifying restricted data.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-68995 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy