CVE-2025-48339: CWE-862 Missing Authorization in activity-log.com Profiler - What Slowing Down Your WP
Missing Authorization vulnerability in activity-log.com Profiler - What Slowing Down Your WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Profiler - What Slowing Down Your WP: from n/a through 1.0.0.
AI Analysis
Technical Summary
CVE-2025-48339 is a Missing Authorization vulnerability (CWE-862) identified in the WordPress plugin "Profiler - What Slowing Down Your WP" developed by activity-log.com. This vulnerability arises due to incorrectly configured access control security levels, allowing unauthorized users to access functionality or data that should be restricted. The affected versions include all versions up to 1.0.0, with no specific version exclusions noted. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reveals that the vulnerability is remotely exploitable over the network without requiring any privileges or user interaction. The impact affects confidentiality and integrity but does not affect availability. Since the vulnerability is related to missing authorization, an attacker can potentially access sensitive profiling data or manipulate performance-related information that the plugin collects or displays, which could lead to information disclosure or unauthorized changes in the plugin’s behavior. No known exploits are reported in the wild as of the publication date (July 16, 2025), and no patches have been released yet. The vulnerability is particularly relevant to WordPress sites using this plugin for performance profiling and diagnostics.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to websites and web applications running WordPress with the "Profiler - What Slowing Down Your WP" plugin installed. Unauthorized access to profiling data could expose sensitive operational metrics or user behavior analytics, potentially leaking confidential information. Integrity impacts could allow attackers to manipulate performance data, misleading administrators and complicating incident response or performance tuning efforts. While availability is not directly impacted, the loss of trust in the accuracy of profiling data could degrade operational effectiveness. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) may face compliance risks if sensitive data is exposed. Additionally, attackers could leverage this vulnerability as a foothold for further attacks on the web infrastructure. Given the plugin’s use in performance diagnostics, organizations relying on it for critical monitoring might experience degraded security posture if the vulnerability is exploited.
Mitigation Recommendations
Immediate mitigation steps include auditing all WordPress installations to identify the presence of the "Profiler - What Slowing Down Your WP" plugin. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack surface. If disabling is not feasible, restrict access to the plugin’s functionality by implementing web application firewall (WAF) rules that limit access to trusted IP addresses or authenticated users only. Monitoring web server logs for unusual access patterns targeting the plugin’s endpoints is recommended. Additionally, organizations should review and tighten WordPress user roles and permissions to minimize exposure. Once a patch becomes available, prioritize its deployment after testing in staging environments. Finally, maintain regular backups and ensure incident response plans include scenarios involving unauthorized access to profiling or diagnostic data.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-48339: CWE-862 Missing Authorization in activity-log.com Profiler - What Slowing Down Your WP
Description
Missing Authorization vulnerability in activity-log.com Profiler - What Slowing Down Your WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Profiler - What Slowing Down Your WP: from n/a through 1.0.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-48339 is a Missing Authorization vulnerability (CWE-862) identified in the WordPress plugin "Profiler - What Slowing Down Your WP" developed by activity-log.com. This vulnerability arises due to incorrectly configured access control security levels, allowing unauthorized users to access functionality or data that should be restricted. The affected versions include all versions up to 1.0.0, with no specific version exclusions noted. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reveals that the vulnerability is remotely exploitable over the network without requiring any privileges or user interaction. The impact affects confidentiality and integrity but does not affect availability. Since the vulnerability is related to missing authorization, an attacker can potentially access sensitive profiling data or manipulate performance-related information that the plugin collects or displays, which could lead to information disclosure or unauthorized changes in the plugin’s behavior. No known exploits are reported in the wild as of the publication date (July 16, 2025), and no patches have been released yet. The vulnerability is particularly relevant to WordPress sites using this plugin for performance profiling and diagnostics.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to websites and web applications running WordPress with the "Profiler - What Slowing Down Your WP" plugin installed. Unauthorized access to profiling data could expose sensitive operational metrics or user behavior analytics, potentially leaking confidential information. Integrity impacts could allow attackers to manipulate performance data, misleading administrators and complicating incident response or performance tuning efforts. While availability is not directly impacted, the loss of trust in the accuracy of profiling data could degrade operational effectiveness. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) may face compliance risks if sensitive data is exposed. Additionally, attackers could leverage this vulnerability as a foothold for further attacks on the web infrastructure. Given the plugin’s use in performance diagnostics, organizations relying on it for critical monitoring might experience degraded security posture if the vulnerability is exploited.
Mitigation Recommendations
Immediate mitigation steps include auditing all WordPress installations to identify the presence of the "Profiler - What Slowing Down Your WP" plugin. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack surface. If disabling is not feasible, restrict access to the plugin’s functionality by implementing web application firewall (WAF) rules that limit access to trusted IP addresses or authenticated users only. Monitoring web server logs for unusual access patterns targeting the plugin’s endpoints is recommended. Additionally, organizations should review and tighten WordPress user roles and permissions to minimize exposure. Once a patch becomes available, prioritize its deployment after testing in staging environments. Finally, maintain regular backups and ensure incident response plans include scenarios involving unauthorized access to profiling or diagnostic data.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-19T14:14:34.469Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68779109a83201eaacda589f
Added to database: 7/16/2025, 11:46:17 AM
Last enriched: 7/16/2025, 12:05:27 PM
Last updated: 8/14/2025, 10:38:42 PM
Views: 14
Related Threats
CVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumCVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.