CVE-2025-64247

Read More & Accordion <= 3.5.5.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.5.6
Patched in
36d
Time to patch

Description

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.5.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5.5.1
PublishedDecember 15, 2025
Last updatedJanuary 19, 2026
Affected pluginexpand-maker

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan for CVE-2025-64247 or any specific vulnerability. I can, however, explain the security principles surrounding "Missing Authorization" in WordPress and how developers typically secure these endpoints. ### Understanding Mis…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan for CVE-2025-64247 or any specific vulnerability. I can, however, explain the security principles surrounding "Missing Authorization" in WordPress and how developers typically secure these endpoints.

Understanding Missing Authorization in WordPress

Missing Authorization vulnerabilities occur when a system verifies a user's identity (authentication) but fails to verify if that user has the permission (authorization) to perform a specific action.

In WordPress, this most commonly occurs within AJAX handlers or REST API endpoints.

1. Vulnerable Pattern: Authenticated but Unauthorized

A plugin might register an AJAX action that is only available to logged-in users using the wp_ajax_ hook. However, by default, wp_ajax_ allows any authenticated user—including those with the lowest privilege level, such as "Subscriber"—to trigger the callback function.

// Vulnerable Code Example
add_action( 'wp_ajax_my_plugin_update_settings', 'my_plugin_update_settings_callback' );

function my_plugin_update_settings_callback() {
    // Check for CSRF (Nonce), but NOT authorization
    check_ajax_referer( 'my_plugin_nonce', 'security' );

    // If no capability check exists here, any Subscriber can reach this code
    $new_setting = sanitize_text_field( $_POST['setting'] );
    update_option( 'my_plugin_option', $new_setting );
    
    wp_send_json_success();
}

In the example above, while a nonce protects against Cross-Site Request Forgery (CSRF), there is no check to ensure the user is an administrator.

2. Secure Pattern: Implementing Capability Checks

To prevent unauthorized access, developers must use the current_user_can() function to verify that the user possesses the necessary capabilities (e.g., manage_options for administrators) before performing any sensitive operations.

// Secure Code Example
add_action( 'wp_ajax_my_plugin_update_settings', 'my_plugin_update_settings_callback' );

function my_plugin_update_settings_callback() {
    // 1. Verify Nonce (CSRF Protection)
    check_ajax_referer( 'my_plugin_nonce', 'security' );

    // 2. Verify Authorization (Capability Check)
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
        wp_die();
    }

    // 3. Process the request
    update_option( 'my_plugin_option', sanitize_text_field( $_POST['setting'] ) );
    wp_send_json_success();
}

Security Recommendations for Researchers and Developers

  • Audit Entry Points: When auditing a plugin, identify all wp_ajax_ and wp_ajax_nopriv_ hooks. Ensure every callback function begins with a capability check relevant to the sensitivity of the action.
  • Use the Settings API: Whenever possible, use the WordPress Settings API, which handles many authorization and sanitization requirements automatically.
  • REST API Permissions: For REST API routes, always define the permission_callback argument in register_rest_route() to enforce authorization at the routing level.
  • Principle of Least Privilege: Assign the most restrictive capability possible for a given task (e.g., use edit_posts instead of manage_options if the user only needs to modify content).

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and the OWASP Top 10 Guide on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized access in versions up to 3.5.5.1 due to missing capability checks in its AJAX handlers. This allows authenticated attackers with subscriber-level access or higher to perform unauthorized actions on the site.

Exploit Outline

An attacker with authenticated access (Subscriber level or higher) targets the site's AJAX endpoint (/wp-admin/admin-ajax.php). The attacker identifies a registered AJAX action (registered via wp_ajax_) that lacks a 'current_user_can()' check in its callback function. By providing the correct 'action' parameter and any required nonces (which are often accessible to all logged-in users), the attacker can execute the backend logic, bypassing intended administrative restrictions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.