CVE-2025-24778
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-24778 is a Broken Access Control vulnerability in the WordPress plugin "No Spam At All" up to version 1.3. It is caused by missing authorization, authentication, or nonce token checks in certain plugin functions, which may allow users with low privileges (Subscriber-level) to perform actions that should be restricted to higher-privileged users. [1]
How can this vulnerability impact me? :
This vulnerability could allow unprivileged users to perform unauthorized actions within the plugin, potentially leading to limited integrity and availability impacts. However, the risk of exploitation is considered low and the severity is rated as low (CVSS 5.4). There is no official patch yet, but virtual patching is available to mitigate the risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability is challenging because plugin-based malware scanners may be unreliable. There are no specific commands provided for detection. Users are advised to seek professional incident response or hosting provider assistance to identify potential exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation can be achieved by applying virtual patching (vPatching) provided by Patchstack, which auto-mitigates the vulnerability without performance loss. Since no official patch is available, users should consider virtual patching and seek professional assistance if compromise is suspected. [1]