CVE-2025-5812 identifies a missing authorization vulnerability (CWE-862) in the VG WORT METIS plugin for WordPress, specifically in the gutenberg_save_post() function. This function lacks proper capability checks, enabling authenticated users with minimal privileges (Subscriber-level and above) to update limited post settings without appropriate authorization. The vulnerability affects all versions up to and including 2.0.0 of the plugin. Since the flaw allows modification of post settings, it compromises data integrity but does not affect confidentiality or availability. The attack vector is network-based, requiring only authenticated access but no user interaction, making exploitation relatively straightforward for legitimate users with low privileges. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited scope and impact. No patches or official fixes are currently listed, and no known exploits have been reported in the wild. The vulnerability is particularly relevant for WordPress sites using the VG WORT METIS plugin, which is primarily used in German-speaking markets for tracking and reporting purposes. The missing authorization check could be leveraged to manipulate post metadata or settings, potentially impacting site content management and analytics.

The primary impact of CVE-2025-5812 is unauthorized modification of post settings, which undermines data integrity within affected WordPress sites. Attackers with Subscriber-level access or higher can alter post metadata or configurations, potentially leading to misinformation, content mismanagement, or disruption of site analytics and reporting functions. While the vulnerability does not expose sensitive data or cause denial of service, the integrity compromise can affect editorial workflows and trustworthiness of published content. Organizations relying on VG WORT METIS for accurate content tracking may experience degraded data quality or manipulation. The ease of exploitation by low-privilege authenticated users increases the risk, especially in environments with many registered users or weak account controls. Although no widespread exploitation is known, the vulnerability could be leveraged in targeted attacks against content management systems, particularly in sectors where content accuracy and reporting are critical.

To mitigate CVE-2025-5812, organizations should first verify whether they use the VG WORT METIS plugin and identify the installed version. Since no official patch is currently available, immediate mitigation involves restricting user roles and permissions to minimize Subscriber-level users or auditing user accounts for suspicious activity. Administrators can implement custom capability checks or hooks to enforce authorization on the gutenberg_save_post() function, effectively blocking unauthorized post setting modifications. Monitoring WordPress logs for unusual post update activities by low-privilege users is recommended. Additionally, isolating the plugin's functionality or disabling it temporarily can reduce risk until a vendor patch is released. Organizations should subscribe to vendor advisories and update the plugin promptly once a fix becomes available. Employing a Web Application Firewall (WAF) with rules targeting unauthorized post modifications may provide an additional layer of defense.