CVE-2025-57909
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | editor_custom_color_palette | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57909 is a Broken Access Control vulnerability in the WordPress Editor Custom Color Palette Plugin (versions up to 3.4.8). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions. This flaw allows users with Contributor-level privileges to perform actions that should be restricted to higher-privileged users. It falls under the OWASP Top 10 category A7: Identification and Authentication Failures. [1]
How can this vulnerability impact me? :
This vulnerability can allow lower-privileged users (such as Contributors) to execute actions reserved for higher-privileged users, potentially leading to unauthorized changes or configurations within the WordPress site. Although the CVSS score is 6.5 indicating moderate severity, the impact is primarily unauthorized access to sensitive functions, which could compromise site integrity or security. No official patch is available yet, but virtual patching is offered as a mitigation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if the WordPress site is running the Editor Custom Color Palette plugin version 3.4.8 or earlier, as these versions are vulnerable. Since the vulnerability allows users with Contributor-level privileges to perform unauthorized actions, monitoring for unusual privilege escalations or unauthorized changes by such users can help detect exploitation attempts. Specific commands are not provided, but checking the plugin version can be done via WP-CLI with: `wp plugin list --format=json` and inspecting the version of 'editor-custom-color-palette'. Additionally, reviewing WordPress user roles and recent changes in plugin files or settings may help detect suspicious activity. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which offers automatic protection without requiring an official patch. Users should monitor for official updates or patches from the plugin developer and consider restricting Contributor-level user capabilities temporarily to reduce risk. Since no official fix is available yet, using Patchstack's protection services is recommended to rapidly mitigate the vulnerability. [1]