CVE-2025-62128

SiteLock Security <= 5.0.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.0.2
Patched in
7d
Time to patch

Description

The SiteLock Security – WP Hardening, Login Security & Malware Scans plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.1
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026
Affected pluginsitelock

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or specific attack vectors for identified vulnerabilities. If you are interested in learning more about WordPress security and how to prevent authorization issues, I recommend exploring …

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or specific attack vectors for identified vulnerabilities.

If you are interested in learning more about WordPress security and how to prevent authorization issues, I recommend exploring the following resources:

  • WordPress Plugin Handbook on Security: Review the official documentation on Plugin Security, specifically the sections on "Checking User Capabilities" and "Nonces."
  • OWASP Top 10: Study the Broken Access Control category to understand common authorization failures in web applications.
  • Common Weakness Enumeration (CWE): Research CWE-862: Missing Authorization for technical details and prevention strategies at the code level.
  • WordPress Developer Resources: Learn about the current_user_can() function and how it should be implemented in every administrative or data-modifying function.
Research Findings
Static analysis — not yet PoC-verified

Summary

The SiteLock Security plugin for WordPress is vulnerable to missing authorization in versions up to 5.0.1. This allows authenticated attackers with Subscriber-level privileges to execute functions that should be restricted to administrators due to a lack of capability checks on an internal plugin function.

Exploit Outline

1. Authenticate as a user with at least Subscriber-level privileges. 2. Identify the vulnerable endpoint or hook (likely a wp_ajax function) that lacks a call to current_user_can(). 3. Send a request to the identified function (e.g., via /wp-admin/admin-ajax.php or an admin_init hook). 4. The plugin will execute the requested action without verifying that the user has the necessary administrative permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.