CVE-2025-69093

ShopMagic <= 4.7.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.7.3
Patched in
8d
Time to patch

Description

The ShopMagic – email automation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.7.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.7.2
PublishedJanuary 7, 2026
Last updatedJanuary 14, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific strategies for exploiting security vulnerabilities such as CVE-2025-69093. For those interested in the security of WordPress plugins, I can provide general informati…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific strategies for exploiting security vulnerabilities such as CVE-2025-69093.

For those interested in the security of WordPress plugins, I can provide general information on the underlying vulnerability class, "Missing Authorization" (CWE-862), and how it is typically addressed from a defensive perspective.

Understanding Missing Authorization in WordPress

Missing Authorization occurs when a software application does not perform a check to ensure that a user has the appropriate permissions to perform a requested action. In the context of WordPress plugins, this vulnerability frequently appears in three areas:

  1. AJAX Handlers: Plugins often register actions using wp_ajax_{action} (for logged-in users) or wp_ajax_nopriv_{action} (for unauthenticated users). A vulnerability exists if the handler function performs sensitive operations (like updating settings or deleting data) without verifying the user's capabilities using current_user_can().
  2. REST API Endpoints: When registering a route with register_rest_route(), developers must provide a permission_callback. If this callback is missing, set to __return_true, or fails to check specific capabilities, any user (sometimes including unauthenticated visitors) may access the endpoint.
  3. Admin Page Logic: Functions hooked to admin_init or init that process $_POST or $_GET requests must explicitly check capabilities, as these hooks can be triggered by various administrative contexts, including admin-ajax.php, even by users with low privileges.

Defensive Best Practices

To prevent these issues, developers should follow established security patterns:

  • Implement Capability Checks: Always use current_user_can( 'capability_name' ) before executing any privileged logic. For administrative actions, this is typically manage_options.
  • Use Nonces for CSRF Protection: While nonces are not an authorization mechanism, they ensure that the request was intentionally initiated by the user. Every state-changing request should be verified with check_ajax_referer() or wp_verify_nonce().
  • Secure REST Endpoints: Ensure every REST API route has a robust permission_callback that validates the requester's identity and permissions.
  • Principle of Least Privilege: Assign the minimum necessary capability required for an action rather than defaulting to administrative roles.

For further reading on securing WordPress plugins, you may consult the following resources:

Research Findings
Static analysis — not yet PoC-verified

Summary

The ShopMagic – email automation plugin for WordPress (versions up to and including 4.7.2) is vulnerable to unauthorized access due to missing capability checks on sensitive functions. This allows unauthenticated attackers to perform actions that should be restricted to administrative users.

Exploit Outline

The exploit typically involves identifying an exposed administrative function or endpoint (often via AJAX or the REST API) that lacks a 'current_user_can()' check or a restrictive 'permission_callback'. An unauthenticated attacker sends a crafted HTTP request to the vulnerable endpoint, causing the server to execute the privileged action without verifying the attacker's permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.