CVE-2025-32252 identifies a missing authorization vulnerability in the WP Genealogy – Your Family History Website plugin developed by Black and White. This plugin, designed to manage and display family history data on WordPress sites, suffers from improperly configured access control mechanisms in versions up to and including 0.1.9. The vulnerability allows attackers to bypass authorization checks, potentially enabling them to access or modify sensitive genealogical information without proper permissions. The root cause is an incorrect implementation of access control security levels, which fails to restrict certain operations to authorized users only. Although no CVSS score has been assigned and no known exploits have been reported in the wild, the vulnerability poses a significant risk because it compromises the confidentiality and integrity of user data. The flaw does not require user interaction and can be exploited remotely if the attacker can reach the vulnerable plugin endpoints. This vulnerability is particularly concerning for organizations and individuals relying on WP Genealogy to manage sensitive family history data, as unauthorized access could lead to data leakage or tampering. No official patches or updates have been published yet, emphasizing the need for immediate mitigation efforts. The vulnerability was publicly disclosed on April 4, 2025, by Patchstack, highlighting the importance of reviewing access control configurations in affected installations.

The primary impact of CVE-2025-32252 is unauthorized access and potential modification of genealogical data managed by the WP Genealogy plugin. This can lead to breaches of confidentiality, exposing sensitive personal and family history information. Integrity is also at risk, as attackers could alter or delete data, undermining trust in the website's content. For organizations, this could result in reputational damage, loss of user trust, and potential legal liabilities related to data privacy. Availability impact is limited but possible if attackers manipulate data to disrupt service or functionality. Since the vulnerability does not require authentication or user interaction, it lowers the barrier for exploitation, increasing the risk. The scope is limited to WordPress sites using the affected plugin versions, but given WordPress's widespread use and the niche but sensitive nature of genealogy data, the impact can be significant for targeted sites. No known active exploitation reduces immediate risk but does not eliminate future threats.

1. Immediately restrict access to the WP Genealogy plugin's administrative and sensitive endpoints using web application firewalls (WAF) or server-level access controls to limit exposure. 2. Monitor web server and application logs for unusual or unauthorized access attempts related to the plugin's functionality. 3. Disable or uninstall the WP Genealogy plugin if it is not essential until an official patch or update is released. 4. For sites requiring the plugin, implement strict WordPress user role management to minimize permissions granted to users interacting with the plugin. 5. Employ network segmentation and IP whitelisting where possible to restrict access to the WordPress admin interface. 6. Regularly back up genealogical data to enable recovery in case of data tampering. 7. Stay informed about vendor updates or patches and apply them promptly once available. 8. Conduct security audits focusing on access control configurations within WordPress and its plugins to detect similar misconfigurations.