CVE-2025-68057
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68057 is a Broken Access Control vulnerability in the WordPress Hospital Doctor Directory Plugin (versions up to 1.3.9). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users (such as subscribers) to perform actions that should be restricted to higher-privileged roles. This means unauthorized users can gain access or control they should not have. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access or control within the Hospital Doctor Directory plugin, allowing attackers with low privileges to perform restricted actions. This poses a significant security risk, potentially compromising the integrity and confidentiality of the website or its data. Since the CVSS score is 7.6, it indicates a high likelihood of exploitation and serious impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized access attempts or actions performed by unprivileged users within the Hospital Doctor Directory plugin. Since the vulnerability allows privilege escalation via missing authorization checks, you can look for unusual requests or actions performed by subscriber-level users that should be restricted. Specific commands are not provided in the available resources. However, implementing Patchstack's mitigation rule can help block exploitation attempts and may include detection capabilities. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule released by Patchstack to block exploitation attempts until an official patch is available. Users are strongly advised to implement this mitigation immediately to protect their websites. Since no official fixed version of the plugin is currently available, applying this mitigation is the best immediate defense. [1]