CVE-2025-53304
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53304 is a Broken Access Control vulnerability in the WordPress plugin 'Contact Form β 7: Hide Success Message' up to version 1.1.4. It occurs due to missing authorization, authentication, or nonce token checks in certain functions, allowing unauthenticated users to perform actions that should require higher privileges. [1]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to access functionality that should be restricted, potentially leading to unauthorized actions on your WordPress site. However, the impact is considered low severity with a CVSS score of 5.3, and there is a low likelihood of exploitation. No data confidentiality or availability impact is indicated, but integrity could be affected. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the Contact Form β 7: Hide Success Message WordPress plugin, allowing unauthenticated users to access restricted functionality. Detection would involve monitoring for unauthorized access attempts to the plugin's functions or unusual HTTP requests targeting the plugin endpoints. Specific detection commands are not provided in the available resources. Users should monitor web server logs for suspicious requests related to the plugin and consider using virtual patching tools that may include detection capabilities. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which auto-mitigates the vulnerability even without an official patch. Users should monitor for updates from the plugin developer and Patchstack, restrict access to the plugin's functionality if possible, and review web server and application logs for suspicious activity. Since no official fix is available, virtual patching and monitoring are the recommended immediate actions. [1]