CVE-2025-62144 identifies a missing authorization vulnerability (CWE-862) in the Mohammed Kaludi Core Web Vitals & PageSpeed Booster plugin, which is used to optimize website performance metrics. The vulnerability arises from incorrectly configured access control security levels, allowing users with low privileges (PR:L) to perform actions that should be restricted. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates that the vulnerability is remotely exploitable over the network without user interaction, requires low complexity, and some privileges but no user interaction. The impact affects confidentiality and integrity to a limited extent but does not affect availability. The plugin versions up to 1.0.27 are affected, although the exact range is not fully specified. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and assigned a CVE ID. This missing authorization flaw could allow an attacker to access or modify sensitive plugin settings or data, potentially undermining website performance configurations or exposing internal metrics. Since the plugin is commonly used in WordPress environments, exploitation could be a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations.

For European organizations, the vulnerability poses a risk of unauthorized access to web performance optimization settings, which could lead to exposure or manipulation of sensitive data related to website metrics and configurations. While the direct impact on confidentiality and integrity is limited, attackers could leverage this flaw to gain footholds or gather intelligence for more damaging attacks. Organizations relying heavily on WordPress and this specific plugin for SEO and performance improvements may face degraded trust or operational disruptions if attackers alter configurations. The absence of availability impact reduces the risk of service outages, but the integrity compromise could affect website behavior and user experience. Given the medium severity and the requirement for some privileges, the threat is more relevant to organizations with multiple user roles or delegated administration, common in larger enterprises and agencies. The lack of known exploits suggests a window for proactive mitigation before active attacks emerge.

Organizations should immediately inventory their WordPress installations to identify the presence of the Mohammed Kaludi Core Web Vitals & PageSpeed Booster plugin and verify the version in use. Until an official patch is released, restrict plugin management capabilities strictly to trusted administrators and review user roles to minimize privilege exposure. Implement strict access control policies and audit logs to detect unauthorized attempts to access or modify plugin settings. Consider disabling or removing the plugin if it is not essential, or replace it with alternative tools that have a stronger security posture. Monitor security advisories from the vendor and Patchstack for updates or patches. Additionally, employ web application firewalls (WAFs) to detect and block suspicious requests targeting plugin endpoints. Regularly update WordPress core and all plugins to reduce the attack surface and maintain a secure environment.