CVE-2025-64247 identifies a missing authorization vulnerability in the edmon.parker Read More & Accordion plugin, specifically in versions up to and including 3.5.4.1. This plugin is commonly used to manage content expansion on websites, such as revealing additional text or accordion-style content sections. The vulnerability arises from incorrectly configured access control security levels, allowing users with low privileges (PR:L) to access or retrieve data that should be restricted. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and no user interaction, leading to a high impact on confidentiality but no impact on integrity or availability. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without extending to other system components. Although no known exploits are currently reported in the wild, the potential for unauthorized data disclosure is significant, especially in environments where sensitive information is protected by this plugin's access controls. The lack of available patches or updates at the time of publication necessitates immediate attention from administrators to review and harden access control configurations to prevent exploitation.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive or confidential information managed through the Read More & Accordion plugin. This could include proprietary content, internal communications, or customer data, depending on the website's use case. The breach of confidentiality could result in reputational damage, regulatory penalties under GDPR for data leaks, and potential competitive disadvantages. Since the vulnerability does not affect data integrity or availability, the primary concern is information leakage. Organizations relying on this plugin for content management on public-facing or intranet websites are at risk, particularly if low-privilege users or authenticated users can exploit the missing authorization controls. The medium severity rating suggests that while the threat is not critical, it is sufficiently serious to warrant prompt mitigation to avoid data exposure incidents.

1. Immediately audit all access control configurations related to the Read More & Accordion plugin to ensure that only authorized users can access sensitive content expansions. 2. Restrict plugin usage to trusted user roles and minimize the number of users with low-level privileges that could exploit this vulnerability. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the plugin's endpoints. 4. Monitor web server and application logs for unusual access patterns or privilege escalation attempts involving the plugin. 5. Stay updated with vendor advisories and apply patches or updates as soon as they become available. 6. Consider temporarily disabling or replacing the plugin with a more secure alternative if immediate patching is not possible. 7. Conduct regular security assessments and penetration tests focusing on access control mechanisms within web applications. 8. Educate web administrators and developers about secure configuration practices to prevent similar authorization issues.