CVE-2025-49988
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization (Broken Access Control) issue in the WordPress Contact Form 7 AWeber Extension plugin up to version 0.1.38. It occurs because certain functions lack proper authorization, authentication, or nonce token checks, allowing unauthenticated users to perform actions that should be restricted to higher-privileged users. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to perform privileged actions on a website using the affected plugin, potentially leading to unauthorized changes or disruptions. Although the CVSS score is 5.3 indicating low severity, exploitation could result in availability impacts. Since the plugin is abandoned and no official fix exists, the risk remains unless mitigated by virtual patching or plugin removal. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized access or actions performed via the Contact Form 7 AWeber Extension plugin. Since the vulnerability arises from missing authorization and nonce token checks, monitoring web server logs for unusual or unauthenticated requests targeting the plugin's functions may help. However, no specific detection commands or signatures are provided. Plugin-based malware scanners may be unreliable for this vulnerability. It is recommended to seek professional incident response services for thorough detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the Contact Form 7 AWeber Extension plugin, as no official fix or updated version is available and the plugin is abandoned. Deactivating the plugin alone does not eliminate the risk unless a virtual patch (vPatch) is applied. Patchstack offers vPatching as an automated mitigation method to protect against exploitation without official patches. Seeking professional incident response services is also advised if compromise is suspected. [1]