CVE-2025-60086 is a missing authorization vulnerability identified in the Matt WP Voting Contest WordPress plugin, affecting versions up to and including 5.8. The flaw arises from incorrectly configured access control security levels, which allow unauthenticated attackers to access sensitive functionality or data without proper authorization checks. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The primary impact is on confidentiality, as attackers can retrieve protected information from the voting contest plugin, potentially exposing voter data or contest results that should be restricted. There is no impact on integrity or availability, meaning the attacker cannot modify data or disrupt service. Although no known exploits are currently reported in the wild, the high CVSS score of 7.5 reflects the significant risk posed by this vulnerability due to its ease of exploitation and sensitive data exposure. The vulnerability was reserved in late September 2025 and published in December 2025, but no official patches or mitigations have been linked yet. Organizations using this plugin should be aware of the risk and prepare to apply vendor patches or implement compensating controls. Given the widespread use of WordPress and the popularity of contest or voting plugins, this vulnerability could be leveraged to gather unauthorized information from websites running the affected plugin versions.

For European organizations, the primary impact of CVE-2025-60086 is unauthorized disclosure of sensitive data managed by the WP Voting Contest plugin. This could include voter identities, contest entries, or other confidential information collected during voting processes. Such data exposure can lead to privacy violations, reputational damage, and potential regulatory non-compliance under GDPR. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone can have serious consequences, especially for organizations conducting public or internal voting events. Attackers exploiting this flaw could gain insights into organizational decision-making processes or manipulate public perception by leaking sensitive contest data. The ease of exploitation without authentication increases the threat level, as any external attacker can attempt to access the vulnerable endpoints. European organizations with public-facing WordPress sites using this plugin are particularly at risk, especially those in sectors like media, marketing, political campaigns, or community engagement platforms that rely on voting contests. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

1. Monitor the vendor's official channels and security advisories for the release of a patch addressing CVE-2025-60086 and apply it promptly once available. 2. Until a patch is released, restrict access to the WP Voting Contest plugin endpoints by implementing web application firewall (WAF) rules that block unauthorized requests targeting the plugin's voting or contest functionalities. 3. Conduct an audit of WordPress user roles and permissions to ensure that only trusted users have administrative or editing capabilities related to the voting contest plugin. 4. Disable or deactivate the WP Voting Contest plugin if it is not essential to business operations to eliminate exposure. 5. Employ network segmentation and access controls to limit external access to the WordPress administration interface and plugin endpoints. 6. Implement logging and monitoring for unusual access patterns or attempts to exploit the plugin, enabling early detection of exploitation attempts. 7. Educate site administrators on the risks of installing plugins from unverified sources and encourage regular plugin updates and security reviews. 8. Consider alternative voting or contest plugins with a stronger security track record if immediate patching is not feasible.