CVE-2025-49969
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress Zara 4 Image Compression plugin (up to version 1.2.17.2). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows users with low privileges (Subscriber-level) to perform actions that should be restricted to higher-privileged users. [1]
How can this vulnerability impact me? :
The vulnerability allows unprivileged users to execute actions reserved for higher-privileged users, potentially leading to unauthorized changes or disruptions. Although the CVSS score is low (4.3), the risk remains because the plugin is abandoned with no official fix available. Exploitation could lead to security breaches, and simply deactivating the plugin does not fully mitigate the risk without applying a virtual patch or replacing the plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the vulnerable Zara 4 Image Compression plugin version 1.2.17.2 or earlier on your WordPress installation. Since the vulnerability allows unprivileged users to perform higher-privileged actions due to missing authorization checks, monitoring for unusual privilege escalations or unauthorized actions by Subscriber-level users can help detect exploitation attempts. However, no specific detection commands are provided. Plugin-based malware scanners may be unreliable for this vulnerability, so professional incident response is recommended if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying a virtual patch (vPatch) offered by Patchstack, which provides rapid protection without requiring an official plugin update. Since the plugin is abandoned and no official fix is available, urgent replacement of the Zara 4 Image Compression plugin with an alternative solution is strongly recommended. Simply deactivating the plugin does not eliminate the risk unless a virtual patch is applied. If compromise is suspected, seek professional incident response. [1]