CVE-2025-5190 is a high-severity authentication bypass vulnerability affecting the Browse As plugin for WordPress, developed by sorich87. This vulnerability exists in all versions up to and including 0.2 of the plugin. The root cause is improper authentication validation within the 'IS_BA_Browse_As::notice' function, specifically related to the handling of the 'is_ba_original_user_COOKIEHASH' cookie value. An attacker with at least subscriber-level permissions on a WordPress site can exploit this flaw to impersonate any existing user, including administrators, by leveraging knowledge of the target user's ID. This bypass does not require user interaction and can be executed remotely over the network. The vulnerability is classified under CWE-288, which involves authentication bypass through alternate paths or channels. The CVSS v3.1 base score is 8.8, reflecting its critical impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no public exploits have been reported yet, the vulnerability's nature makes it a significant risk for WordPress sites using this plugin, as it allows privilege escalation and full control over the site by unauthorized users.

For European organizations, this vulnerability poses a serious threat, especially for those relying on WordPress sites with the Browse As plugin installed. Successful exploitation can lead to full administrative access, enabling attackers to modify website content, steal sensitive data, inject malicious code, or disrupt services. This can result in data breaches violating GDPR regulations, reputational damage, and operational downtime. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitive nature of their data and the criticality of their online presence. The ease of exploitation by low-privilege users increases the likelihood of insider threats or compromised accounts being leveraged for attacks. Additionally, the lack of public patches or mitigations at the time of disclosure heightens the urgency for organizations to implement protective measures promptly.

1. Immediate mitigation involves disabling or uninstalling the Browse As plugin until a security patch is released by the vendor. 2. Restrict subscriber-level user permissions and audit existing user roles to minimize the number of accounts that could exploit this vulnerability. 3. Implement strict monitoring and logging of user activities, focusing on privilege escalations and unusual login patterns. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function or cookie manipulation attempts. 5. Enforce multi-factor authentication (MFA) for all users, especially administrators, to reduce the risk of account compromise. 6. Regularly update WordPress core and plugins, and subscribe to security advisories from trusted sources to apply patches promptly once available. 7. Conduct security awareness training for site administrators and users about the risks of privilege escalation and the importance of secure credential handling.