CVE-2025-24607
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24607 is a missing authorization vulnerability (CWE-862) in the IdeaPush WordPress plugin from Northern Beaches Websites. The flaw enables exploitation of incorrectly configured access control security levels and affects all versions of IdeaPush up to and including 8.71.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as scored at CVSSv3.1 5.8 (S:C/C:N/I:L/A:N). Exploitation leads to low-impact integrity violations (I:L) across a changed scope (S:C), such as unauthorized modifications due to broken access controls.
The Patchstack advisory provides details on this broken access control issue in the WordPress IdeaPush plugin version 8.71: https://patchstack.com/database/Wordpress/Plugin/ideapush/vulnerability/wordpress-ideapush-plugin-8-71-broken-access-control-vulnerability?_s_id=cve. Security practitioners should consult it for recommended patches or mitigations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a missing authorization/broken access control flaw in a public-facing WordPress plugin, directly enabling remote unauthenticated exploitation over the network with no user interaction, which maps to T1190: Exploit Public-Facing Application.