CVE-2025-57909
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in Rouergue Création Editor Custom Color Palette editor-custom-color-palette allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editor Custom Color Palette: from n/a through <= 3.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-57909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress editor_custom_color_palette *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57909 is a Broken Access Control vulnerability in the WordPress Editor Custom Color Palette Plugin (versions up to 3.4.8). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions. This flaw allows users with Contributor-level privileges to perform actions that should be restricted to higher-privileged users. It falls under the OWASP Top 10 category A7: Identification and Authentication Failures. [1]

Impact Analysis

This vulnerability can allow lower-privileged users (such as Contributors) to execute actions reserved for higher-privileged users, potentially leading to unauthorized changes or configurations within the WordPress site. Although the CVSS score is 6.5 indicating moderate severity, the impact is primarily unauthorized access to sensitive functions, which could compromise site integrity or security. No official patch is available yet, but virtual patching is offered as a mitigation. [1]

Detection Guidance

Detection involves identifying if the WordPress site is running the Editor Custom Color Palette plugin version 3.4.8 or earlier, as these versions are vulnerable. Since the vulnerability allows users with Contributor-level privileges to perform unauthorized actions, monitoring for unusual privilege escalations or unauthorized changes by such users can help detect exploitation attempts. Specific commands are not provided, but checking the plugin version can be done via WP-CLI with: `wp plugin list --format=json` and inspecting the version of 'editor-custom-color-palette'. Additionally, reviewing WordPress user roles and recent changes in plugin files or settings may help detect suspicious activity. [1]

Mitigation Strategies

Immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which offers automatic protection without requiring an official patch. Users should monitor for official updates or patches from the plugin developer and consider restricting Contributor-level user capabilities temporarily to reduce risk. Since no official fix is available yet, using Patchstack's protection services is recommended to rapidly mitigate the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart