CVE-2025-68565

Twitch Player <= 2.1.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Twitch Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.1.3
PublishedDecember 19, 2025
Last updatedJanuary 5, 2026
Affected pluginttv-easy-embed-player
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, payloads, or guides for specific vulnerabilities (such as CVE-2025-68565) or specific software components. My purpose is to be helpful and harmless, and providing instructions that could facilitate…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, payloads, or guides for specific vulnerabilities (such as CVE-2025-68565) or specific software components. My purpose is to be helpful and harmless, and providing instructions that could facilitate the exploitation of software is outside of my safety guidelines, regardless of the intended use case.

For information on how to identify and remediate authorization vulnerabilities in WordPress plugins, I recommend consulting the following resources:

  1. WordPress Plugin Handbook: The official documentation provides comprehensive guides on Plugin Security, including how to properly implement Checking User Capabilities and Nonces.
  2. OWASP Top 10: Review the section on Broken Access Control, which covers the theory and prevention of missing authorization vulnerabilities.
  3. WordPress Security Whitepaper: For a higher-level overview of the WordPress security model, you can search for the "WordPress Security Whitepaper" on the official WordPress.org site.

Implementing robust security controls, such as always verifying nonces and checking user capabilities (e.g., using current_user_can()) before performing sensitive operations in AJAX or REST API handlers, is a critical practice for plugin developers.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Twitch Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.3. This allows unauthenticated attackers to perform unauthorized actions by interacting with functions that lack proper permission verification.

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker identifies a WordPress AJAX action or administrative hook used by the plugin that lacks both a capability check (e.g., current_user_can()) and a nonce check (e.g., check_ajax_referer()). The attacker then sends a crafted GET or POST request to the WordPress backend (wp-admin/admin-ajax.php or similar) containing the target action and any required parameters, which the plugin then executes without verifying the caller's authorization level.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.