CVE-2025-5812 is a medium-severity vulnerability affecting the VG WORT METIS plugin for WordPress, specifically all versions up to and including 2.0.0. The vulnerability stems from a missing authorization check in the function gutenberg_save_post(), which is responsible for saving post data within the WordPress Gutenberg editor environment. Due to the absence of a proper capability check, authenticated users with Subscriber-level access or higher can modify certain post settings that they should not normally be authorized to change. This vulnerability falls under CWE-862 (Missing Authorization), indicating that the application fails to verify whether a user has the appropriate permissions before allowing an action. The CVSS 3.1 base score is 4.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). The exploitability is relatively straightforward since it only requires authenticated access at Subscriber level, which is a low privilege role in WordPress. However, the impact is limited to unauthorized modification of certain post settings, not full content or site takeover. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability affects all versions of the VG WORT METIS plugin, a tool used primarily for integrating VG WORT tracking and reporting functionalities into WordPress sites. The issue is critical in environments where multiple users have Subscriber or higher roles and where integrity of post metadata or settings is important. Attackers could leverage this flaw to manipulate post settings, potentially affecting content presentation, tracking data, or other plugin-related configurations, which could lead to misinformation or inaccurate reporting metrics.

For European organizations, especially those relying on WordPress sites with the VG WORT METIS plugin installed, this vulnerability could undermine the integrity of content-related data and reporting. VG WORT is a German organization responsible for collecting and distributing royalties for authors and publishers, and its plugin is used to track and report content usage. Unauthorized modification of post settings could lead to inaccurate royalty reporting or manipulation of tracking data, potentially causing financial discrepancies or compliance issues. Organizations involved in publishing, media, or academic content in Europe that use this plugin are at risk of data integrity issues. While the vulnerability does not allow full content modification or site takeover, the ability for low-privilege users to alter post settings could be exploited for fraud or sabotage. This could also erode trust in content accuracy and reporting metrics. Since the vulnerability requires authenticated access, the risk is higher in environments with many registered users or where subscriber accounts are easily created or compromised. The impact on availability and confidentiality is minimal, but the integrity impact, though limited, is significant for organizations dependent on accurate VG WORT data. Additionally, the absence of patches means the vulnerability window remains open, increasing exposure.

1. Immediate mitigation should include restricting Subscriber-level user registrations and reviewing user roles to minimize the number of users with authenticated access. 2. Implement strict user role auditing and remove unnecessary accounts with Subscriber or higher privileges. 3. Use WordPress security plugins or custom code to enforce capability checks on the gutenberg_save_post() function as a temporary workaround until an official patch is released. 4. Monitor and log changes to post settings related to VG WORT METIS to detect unauthorized modifications promptly. 5. Limit plugin usage to trusted administrators and consider disabling or removing the VG WORT METIS plugin if it is not essential. 6. Stay alert for official patches or updates from the vendor and apply them immediately upon release. 7. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious post modification attempts targeting the vulnerable function. 8. Educate site administrators and content managers about the risk and encourage strong password policies and multi-factor authentication to reduce the risk of account compromise. 9. Conduct regular security assessments focusing on user privilege escalation and unauthorized data modification vectors within WordPress environments.