CVE-2025-64282 identifies an authorization bypass vulnerability in the Radius Blocks plugin developed by RadiusTheme, specifically affecting versions up to 2.2.1. The root cause is an incorrect configuration of access control security levels, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). This vulnerability allows an attacker with limited privileges (PR:L) to exploit user-controlled keys to bypass intended authorization checks, potentially gaining unauthorized access to confidential information. The vulnerability is remotely exploitable (AV:N) without requiring user interaction (UI:N), and the attack complexity is low (AC:L). The scope is unchanged (S:U), meaning the exploit affects only the vulnerable component without impacting other system components. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to confidentiality impact (C:L), with no integrity (I:N) or availability (A:N) impact. No patches or known exploits are currently available or reported. The vulnerability highlights a misconfiguration issue rather than a code flaw, emphasizing the importance of proper access control design and validation in plugin development. Organizations using Radius Blocks in their WordPress environments should audit their access control settings and monitor for suspicious activities until a patch is released.

For European organizations, this vulnerability poses a moderate risk of unauthorized access to confidential data managed or displayed via the Radius Blocks plugin. While it does not directly affect system integrity or availability, unauthorized data exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Organizations relying on Radius Blocks for critical customer-facing or internal portals may inadvertently expose sensitive user information or business data. The requirement for some privilege level reduces the risk of widespread exploitation but does not eliminate insider threats or attacks leveraging compromised accounts. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability could be targeted once publicly disclosed. European entities with strict data protection regulations must prioritize remediation to avoid legal and financial consequences.

1. Immediately audit and review access control configurations within the Radius Blocks plugin settings to ensure that user-controlled keys cannot bypass authorization checks. 2. Limit user privileges strictly following the principle of least privilege to reduce the risk of exploitation by low-privileged users. 3. Monitor logs and access patterns for unusual activities that might indicate attempts to exploit authorization bypass. 4. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting Radius Blocks endpoints. 5. Stay informed about official patches or updates from RadiusTheme and apply them promptly once released. 6. Consider temporarily disabling or restricting the Radius Blocks plugin if it is not essential or if the risk outweighs its benefits until a fix is available. 7. Conduct penetration testing focusing on authorization controls to identify similar misconfigurations in other plugins or custom code. 8. Educate administrators and developers about secure access control practices to prevent similar vulnerabilities in the future.