CVE-2025-54018 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the CreativeMindsSolutions CM Pop-Up banners plugin, versions up to 1.8.4. This vulnerability arises from improperly configured access control mechanisms, allowing users with limited privileges (requiring low-level privileges but no user interaction) to perform unauthorized actions or access resources they should not be able to. The vulnerability is network exploitable (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact primarily affects confidentiality with no direct impact on integrity or availability. The vulnerability allows an attacker with some level of authenticated access to bypass authorization checks, potentially exposing sensitive information or enabling unauthorized viewing of data related to the pop-up banners. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is rated medium severity with a CVSS 3.1 base score of 4.3, reflecting its limited but meaningful risk. The lack of proper authorization checks in a widely used WordPress plugin could lead to unauthorized data exposure or configuration access, which could be leveraged for further attacks or information gathering.

For European organizations, this vulnerability could lead to unauthorized access to information managed or displayed via the CM Pop-Up banners plugin on their websites. Since this plugin is used to manage pop-up content, unauthorized access could expose marketing strategies, user interaction data, or other sensitive content intended only for privileged users. Although the direct impact on system integrity and availability is minimal, the confidentiality breach could have reputational consequences, especially under GDPR regulations where unauthorized data access must be reported and can lead to fines. Organizations relying on this plugin for customer engagement or internal communications could face data leakage risks. Attackers exploiting this vulnerability could gain footholds for further exploitation or social engineering attacks. The medium severity indicates that while the risk is not critical, it should not be ignored, especially for organizations with strict data protection requirements.

1. Immediate review and restriction of user privileges related to the CM Pop-Up banners plugin to ensure only trusted users have access. 2. Monitor and audit access logs for unusual activity related to pop-up banner management interfaces. 3. Apply principle of least privilege to all users interacting with the plugin. 4. Since no patch is currently available, consider temporarily disabling the plugin or replacing it with alternative solutions until a fix is released. 5. Implement web application firewalls (WAF) rules to detect and block unauthorized access attempts targeting the plugin endpoints. 6. Regularly check for updates from CreativeMindsSolutions and apply patches promptly once available. 7. Conduct internal penetration testing focusing on authorization bypass scenarios to identify any other related weaknesses. 8. Educate administrators and users about the risks of privilege misuse and ensure strong authentication mechanisms are in place to reduce risk of compromised accounts.