CVE-2025-28872
Published: 11 March 2025
Description
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Security Summary
CVE-2025-28872 is a missing authorization vulnerability (CWE-862) in the Block Spam By Math Reloaded WordPress plugin by jwpegram. The flaw allows accessing functionality not properly constrained by access control lists (ACLs) and affects all versions of the plugin up to and including 2.2.4.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation leads to a low-impact denial of service, consistent with the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
The Patchstack advisory provides details on this broken access control vulnerability in Block Spam By Math Reloaded version 2.2.4; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/block-spam-by-math-reloaded/vulnerability/wordpress-block-spam-by-math-reloaded-plugin-2-2-4-broken-access-control-vulnerability?_s_id=cve for mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization in public-facing WordPress plugin enables unauthenticated remote exploitation (T1190) leading directly to denial of service impact (T1499).