CVE-2025-22787

CVE-2025-22787 is a missing authorization vulnerability (CWE-862) in the Button Block WordPress plugin developed by bPlugins. The flaw allows accessing functionality not properly constrained by access control lists (ACLs) and affects all versions of the plugin up to and including 1.1.5. Published on January 15, 2025, it has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating low severity with primarily confidentiality impacts.

An authenticated attacker with low privileges, such as a contributor role, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables limited unauthorized access to sensitive data or functionality, resulting in low-impact confidentiality disclosure but no effects on integrity or availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/button-block/vulnerability/wordpress-button-block-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve) documents this broken access control issue in Button Block version 1.1.5. Security practitioners should consult this and any vendor updates for patching guidance and mitigation steps.