CVE-2025-25167
Published: 07 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25167 is a missing authorization vulnerability (CWE-862) in the BookPress – For Book Authors WordPress plugin, affecting all versions up to and including 1.2.7. The flaw enables exploitation of incorrectly configured access control security levels, as documented in the CVE description published on 2025-02-07. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts alongside high availability disruption, such as denial-of-service effects, while confidentiality remains unaffected due to the unchanged scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in version 1.2.7 and guidance for mitigation, including available patches or updates for the plugin.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization (broken access control) vulnerability in a public-facing WordPress plugin enables unauthenticated remote exploitation over the network, directly mapping to T1190 Exploit Public-Facing Application. Resulting integrity and availability impacts (e.g., DoS) stem from this initial access vector.