CVE-2025-64632 identifies a missing authorization vulnerability in the Auctollo Google XML Sitemaps plugin, specifically versions up to and including 4.1.21. The vulnerability stems from incorrectly configured access control security levels, which fail to properly restrict access to certain sitemap management functionalities. Because of this misconfiguration, an unauthenticated attacker can access or manipulate sitemap data without proper permissions. The plugin is widely used in WordPress environments to generate XML sitemaps that help search engines index website content. The CVSS 3.1 score of 5.3 reflects a medium severity issue with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality, as the attacker can potentially view sitemap data that might reveal sensitive URL structures or unpublished content, but cannot alter or disrupt the system's integrity or availability. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability was reserved in early November 2025 and published in mid-December 2025. Organizations relying on this plugin should be aware of the risk of unauthorized sitemap data exposure, which could aid attackers in reconnaissance or targeted attacks.

For European organizations, the primary impact is the potential exposure of confidential URL structures and sitemap data, which could facilitate further targeted attacks such as phishing, reconnaissance, or exploitation of other vulnerabilities. Although the vulnerability does not allow modification or disruption of services, the leakage of sitemap information can reveal internal or sensitive web resources not intended for public access. This is particularly concerning for sectors with sensitive data or intellectual property, including e-commerce, media, and government websites. Additionally, organizations that rely heavily on SEO and web presence may suffer reputational damage if attackers leverage exposed sitemap data maliciously. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk profile for organizations with publicly accessible WordPress sites using the affected plugin.

Organizations should immediately audit their WordPress installations to identify the use of the Auctollo Google XML Sitemaps plugin and verify the version in use. Until an official patch is released, administrators should restrict access to sitemap management interfaces via web server configuration or firewall rules, limiting access to trusted IP addresses or authenticated users only. Implementing Web Application Firewalls (WAF) with custom rules to detect and block unauthorized sitemap access attempts can reduce exposure. Monitoring web server logs for unusual access patterns to sitemap-related endpoints is recommended to detect potential exploitation attempts. Additionally, organizations should follow best practices by regularly updating plugins and themes, subscribing to vendor security advisories, and preparing to apply patches promptly once available. Where feasible, consider alternative sitemap generation plugins with verified secure authorization controls.