CVE-2025-49248
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress Team Showcase plugin versions before 25.05.13. It occurs due to missing authorization, authentication, or nonce token checks in certain functions, which can allow users with low privileges (Subscriber level) to perform actions that should be restricted to higher privilege levels. [1]
How can this vulnerability impact me? :
The vulnerability can allow unprivileged users to perform unauthorized actions within the Team Showcase plugin, potentially leading to limited unauthorized modifications or changes. However, the impact is considered low severity with a CVSS score of 4.3, and it does not affect confidentiality or availability, only integrity to a limited extent. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the version of the WordPress Team Showcase plugin installed. Versions prior to 25.05.13 are vulnerable. You can detect the plugin version via WordPress admin dashboard or by running commands such as 'wp plugin list' if WP-CLI is installed. Additionally, monitoring for unauthorized actions by users with Subscriber privileges may indicate exploitation. Patchstack recommends professional incident response and server-side malware scanning rather than relying solely on plugin-based scanners. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WordPress Team Showcase plugin to version 25.05.13 or later, where the vulnerability is fixed. Enabling auto-updates for the plugin is also recommended to ensure timely patching. Patchstack also offers virtual patching (vPatching) as an automatic mitigation measure before official patches are applied. In case of suspected compromise, professional incident response and server-side malware scanning should be conducted. [1]