CVE-2025-60148 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the 'Subscribe to Download' plugin developed by wpshuffle. This vulnerability arises due to improperly configured access control mechanisms within the plugin, allowing users with limited privileges (requiring some level of authentication but no user interaction) to perform actions or access functionality that should be restricted. Specifically, the vulnerability enables exploitation of incorrect access control security levels, potentially allowing an authenticated user with low privileges to escalate their capabilities or manipulate the plugin's subscription or download features without proper authorization. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting integrity but not confidentiality or availability. The affected versions include all versions up to 2.0.9, with no patch links currently provided. No known exploits have been reported in the wild as of the publication date (September 26, 2025). Given the plugin's role in managing subscription-based downloads, unauthorized access could lead to manipulation of subscription data or unauthorized downloads, potentially affecting business operations or revenue models relying on controlled content distribution.

For European organizations using the 'Subscribe to Download' plugin, this vulnerability could lead to unauthorized modification of subscription or download permissions, undermining content access controls. This may result in loss of revenue for businesses relying on paywalled or subscription-based digital content, unauthorized distribution of proprietary materials, or manipulation of user subscription data. While the vulnerability does not directly compromise confidentiality or availability, the integrity impact could damage trust with customers and partners. Organizations in sectors such as digital publishing, e-commerce, and online education that utilize this plugin are particularly at risk. Additionally, regulatory compliance under GDPR may be indirectly affected if subscription data integrity is compromised, leading to potential legal and reputational consequences.

Given the absence of official patches, European organizations should first audit their use of the 'Subscribe to Download' plugin, identifying all instances and versions in use. Immediate mitigation steps include restricting access to the plugin's administrative and subscription management interfaces to only highly trusted users and roles, implementing additional access control layers at the web server or application firewall level to block unauthorized requests targeting the plugin's endpoints, and monitoring logs for unusual access patterns indicative of exploitation attempts. Organizations should also consider temporarily disabling the plugin if feasible until a patch is released. Regularly checking vendor communications and security advisories for updates or patches is critical. Furthermore, applying the principle of least privilege to all users interacting with the plugin and conducting penetration testing focused on access control weaknesses can help identify and remediate exploitation vectors proactively.