CVE-2025-68564
Missing Authorization in Sendy β€ 3.4.2 Enables Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | sendy | to 3.4.2 (inc) |
| sendy | sendy | to 3.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68564 is a medium priority Broken Access Control vulnerability in the WordPress Sendy Plugin versions up to and including 3.4.2.
This vulnerability is caused by missing authorization, authentication, or nonce token checks within certain plugin functions.
As a result, unauthenticated users can perform actions that should be restricted to higher privileged users.
It requires no prior authentication to exploit, which increases its risk.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass access controls and perform privileged actions within the Sendy plugin.
Such unauthorized actions could lead to unauthorized data access, modification, or other malicious activities on your WordPress site.
Because no authentication is required, the likelihood of exploitation is higher, potentially compromising the security and integrity of your website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, allowing unauthenticated users to perform actions reserved for higher privileged users.
No specific detection commands are provided in the available resources. However, monitoring for unauthorized access attempts or unusual activity targeting the Sendy plugin endpoints could help identify exploitation attempts.
Applying web application firewall (WAF) rules or using automated vulnerability mitigation tools like those provided by Patchstack can help detect and block attacks targeting this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this vulnerability.
Patchstack has issued a mitigation rule that can be applied to block attacks targeting this flaw until an official fix is released.
- Implement the Patchstack mitigation rule promptly to protect your website.
- Monitor your WordPress installation for suspicious activity related to the Sendy plugin.
- Consider using automated vulnerability mitigation and continuous security intelligence tools to safeguard your installation.