CVE-2025-49246
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in cmoreira Testimonials Showcase testimonials-showcase allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonials Showcase: from n/a through <= 1.9.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49246
EUVD
EUVD-2025-17288
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Broken Access Control issue in the WordPress Testimonials Showcase plugin (up to version 1.9.16). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, allowing users with low-level privileges (Subscriber-level) to perform actions that should be restricted to higher-privileged roles. It is classified under OWASP Top 10 category A1: Broken Access Control and has a low severity rating with a CVSS score of 4.3. [1]


How can this vulnerability impact me? :

This vulnerability could allow an attacker with Subscriber-level access to perform unauthorized actions reserved for higher-privileged users, potentially leading to unauthorized modifications or misuse of the plugin's functionality. Although the severity is low and exploitation is considered unlikely, unpatched sites remain at risk of opportunistic automated attacks. If compromised, professional incident response or server-side malware scanning is recommended. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if your WordPress site is running Testimonials Showcase plugin version 1.9.16 or earlier. Since the vulnerability allows actions by Subscriber-level users that should require higher privileges, monitoring for unusual privilege escalations or unauthorized actions by low-privilege users can help detect exploitation attempts. Patchstack recommends professional incident response or server-side malware scanning rather than relying on plugin-based scanners, which may be tampered with. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Testimonials Showcase plugin to version 1.9.18 or later, where the vulnerability is fixed. As an interim protection, Patchstack offers virtual patching (vPatching) that automatically mitigates the vulnerability even before official patches are applied. Additionally, monitoring for exploitation attempts and employing professional incident response or server-side malware scanning is recommended in case of compromise. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart