CVE-2025-49880
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress CubeWP Forms plugin (versions up to 1.1.5). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, allowing users with low privileges (Subscriber-level) to perform actions that should be restricted to higher-privileged users. [1]
How can this vulnerability impact me? :
The vulnerability allows unprivileged users to perform actions reserved for higher-privileged users, potentially leading to unauthorized changes or misuse within the CubeWP Forms plugin. Although the severity is low (CVSS 4.3) and exploitation is considered unlikely, it can still result in integrity issues within the affected system if exploited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized actions performed by users with Subscriber-level privileges that should be restricted to higher-privileged users. Since the issue is due to missing authorization checks in certain plugin functions, monitoring logs for unusual access patterns or privilege escalations related to the CubeWP Forms plugin is recommended. There are no specific commands provided in the resources. Patchstack recommends professional incident response and server-side malware scanning rather than relying on plugin-based scanners, which can be tampered with by malware. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the CubeWP Forms plugin to version 1.1.6 or later, where the vulnerability is fixed. Additionally, Patchstack offers virtual patching (vPatching) as an immediate protective measure that auto-mitigates the vulnerability even before official patches are applied. Users should also ensure timely updates and consider professional incident response and server-side malware scanning if a compromise is suspected. [1]