CVE-2025-60152 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Subscribe To Unlock' developed by wpshuffle. This vulnerability arises due to improperly configured access control mechanisms, allowing users with limited privileges (requiring at least some level of authentication) to perform actions or access resources beyond their authorization scope. Specifically, the flaw is in the authorization checks within the plugin, which fails to adequately verify whether a user has the necessary permissions to execute certain functions or access restricted content. The vulnerability affects versions up to 1.1.5 of the plugin, although the exact affected versions are not fully enumerated. The CVSS v3.1 base score is 4.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This means the vulnerability is remotely exploitable over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts integrity but not confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow an authenticated user to perform unauthorized actions, potentially modifying data or settings within the plugin or the WordPress site, leading to integrity violations such as unauthorized content changes or subscription manipulations. However, it does not directly compromise confidentiality or availability.

For European organizations using the 'Subscribe To Unlock' plugin on their WordPress sites, this vulnerability could lead to unauthorized modifications of subscription-related content or settings. This may result in unauthorized access to premium content, manipulation of subscription statuses, or alteration of user entitlements, potentially undermining business models relying on subscription revenue. While the confidentiality of data is not directly impacted, the integrity breach could damage trust with customers and partners, especially in sectors where content control is critical, such as media, education, or digital services. Additionally, unauthorized changes could lead to compliance issues under European data protection regulations if subscription data or user entitlements are altered without proper authorization. The vulnerability requires authenticated access, so the risk is higher in environments where user accounts have weak credential policies or where attackers can gain low-level user credentials through phishing or credential stuffing. Since no known exploits are reported yet, the immediate risk is moderate, but organizations should act proactively to prevent exploitation.

European organizations should take the following specific mitigation steps: 1) Immediately review and restrict user roles and permissions within WordPress to ensure that only trusted users have authenticated access, minimizing the pool of potential attackers. 2) Monitor and audit user activities related to subscription management to detect any unauthorized changes promptly. 3) Apply strict password policies and implement multi-factor authentication (MFA) for all authenticated users to reduce the risk of credential compromise. 4) Temporarily disable or restrict the 'Subscribe To Unlock' plugin if feasible until an official patch is released. 5) Engage with the plugin vendor or community to obtain updates or patches addressing this vulnerability as soon as they become available. 6) Conduct a thorough security review of all access control configurations within the WordPress environment to identify and remediate similar authorization weaknesses. 7) Consider implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting subscription management endpoints. These measures go beyond generic advice by focusing on access control hardening, monitoring, and proactive plugin management tailored to this specific vulnerability.