CVE-2025-1481 identifies a missing authorization vulnerability (CWE-862) in the mandooox Shortcode Cleaner Lite plugin for WordPress, specifically in the download_backup() function. This function lacks proper capability checks, allowing any authenticated user with Subscriber-level access or higher to invoke it and export arbitrary WordPress options data. Since WordPress roles such as Subscriber are low privilege, this vulnerability significantly lowers the bar for unauthorized data access. The vulnerability affects all versions up to and including 1.0.9. The CVSS v3.1 score is 6.5 (medium severity), with an attack vector of network (remote), low attack complexity, privileges required at the low level, no user interaction, and impact limited to confidentiality (high). The flaw does not affect data integrity or availability. No patches or exploits are currently reported, but the risk remains due to the ease of exploitation by authenticated users. This vulnerability could expose sensitive site configuration and options data, potentially aiding further attacks or data leakage. The plugin is used in WordPress environments, which are widely deployed globally, making this a relevant concern for many organizations using this plugin.

The primary impact of CVE-2025-1481 is unauthorized disclosure of sensitive WordPress options data, which may include site configuration, API keys, or other confidential information stored in options. This breach of confidentiality can facilitate further attacks such as privilege escalation, targeted phishing, or site takeover. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit compromised or low-privilege accounts, increasing the attack surface. Although integrity and availability are not directly affected, the exposure of sensitive data can indirectly lead to more severe compromises. Organizations running WordPress sites with this plugin are at risk of data leakage, reputational damage, and potential regulatory compliance issues if sensitive data is exposed. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability's nature makes it likely to be targeted once widely known.

To mitigate CVE-2025-1481, organizations should first restrict access to WordPress accounts, ensuring that Subscriber-level accounts are tightly controlled and monitored. Implement strong authentication and account management policies to reduce the risk of account compromise. Until an official patch is released, consider disabling or uninstalling the Shortcode Cleaner Lite plugin if it is not essential. If the plugin is required, restrict access to the download_backup() function by applying custom capability checks or using security plugins that can enforce granular permissions. Monitor logs for unusual export or backup download activity, especially from low-privilege accounts. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for timely patch releases. Additionally, conduct regular audits of WordPress options data to detect unauthorized access or changes.