CVE-2025-68564
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in Sendy ≀ 3.4.2 Enables Unauthorized Access

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68564
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack sendy to 3.4.2 (inc)
sendy sendy to 3.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68564 is a medium priority Broken Access Control vulnerability in the WordPress Sendy Plugin versions up to and including 3.4.2.

This vulnerability is caused by missing authorization, authentication, or nonce token checks within certain plugin functions.

As a result, unauthenticated users can perform actions that should be restricted to higher privileged users.

It requires no prior authentication to exploit, which increases its risk.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass access controls and perform privileged actions within the Sendy plugin.

Such unauthorized actions could lead to unauthorized data access, modification, or other malicious activities on your WordPress site.

Because no authentication is required, the likelihood of exploitation is higher, potentially compromising the security and integrity of your website.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, allowing unauthenticated users to perform actions reserved for higher privileged users.

No specific detection commands are provided in the available resources. However, monitoring for unauthorized access attempts or unusual activity targeting the Sendy plugin endpoints could help identify exploitation attempts.

Applying web application firewall (WAF) rules or using automated vulnerability mitigation tools like those provided by Patchstack can help detect and block attacks targeting this vulnerability.

Mitigation Strategies

No official patch is currently available for this vulnerability.

Patchstack has issued a mitigation rule that can be applied to block attacks targeting this flaw until an official fix is released.

  • Implement the Patchstack mitigation rule promptly to protect your website.
  • Monitor your WordPress installation for suspicious activity related to the Sendy plugin.
  • Consider using automated vulnerability mitigation and continuous security intelligence tools to safeguard your installation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart