CVE-2025-67575 is a vulnerability identified in the Andrew Lima Sitewide Notice WP plugin for WordPress, specifically affecting all versions up to and including 2.4.1. The core issue is a missing authorization control, meaning that the plugin fails to properly verify whether a user has the necessary permissions before allowing access to certain sitewide notice functionalities. This misconfiguration allows unauthenticated remote attackers to exploit the plugin by bypassing access control mechanisms, potentially enabling them to view or manipulate sitewide notices that should be restricted. The vulnerability is classified with a CVSS v3.1 base score of 5.3, which reflects a medium severity level. The vector indicates that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), does not require privileges (PR:N), and does not require user interaction (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity (I:N) or availability (A:N). No known exploits have been reported in the wild, and no official patches or mitigation links have been published at the time of disclosure. The vulnerability arises from incorrectly configured access control security levels within the plugin, which is designed to display sitewide notices on WordPress sites. Exploitation could allow attackers to gain unauthorized visibility into sitewide notices or potentially manipulate them, which might be leveraged for social engineering or information gathering. Since WordPress is widely used across Europe, and this plugin is part of the ecosystem, the vulnerability poses a risk to organizations using this plugin, especially those relying on sitewide notices for critical communications or branding. The lack of authentication requirement and ease of exploitation increase the risk, although the limited impact on integrity and availability reduces the overall severity. Organizations should monitor for updates from the vendor and consider interim controls such as restricting access to the plugin’s functionality via web application firewalls or custom access rules.

For European organizations, the primary impact of CVE-2025-67575 lies in unauthorized access to sitewide notices on WordPress sites using the affected plugin. This could lead to leakage of sensitive or internal communications intended only for authorized users, potentially aiding attackers in reconnaissance or social engineering campaigns. While the vulnerability does not allow modification of content or disruption of services, the confidentiality breach could undermine trust and expose internal messaging strategies. Organizations in sectors such as media, e-commerce, education, and government that rely heavily on WordPress for public-facing or internal communications are at higher risk. The ease of exploitation without authentication means that any external attacker can probe for this vulnerability, increasing exposure. However, the absence of known exploits in the wild and the medium severity rating suggest that the immediate risk is moderate. Still, failure to address this vulnerability could lead to reputational damage and facilitate further attacks leveraging information gained from unauthorized access to sitewide notices.

1. Monitor the vendor’s official channels for patches or updates addressing CVE-2025-67575 and apply them promptly once available. 2. Until a patch is released, restrict access to the plugin’s administrative or notice management interfaces by implementing IP whitelisting or VPN-only access. 3. Deploy web application firewall (WAF) rules to detect and block unauthorized requests targeting the plugin’s endpoints. 4. Conduct an audit of all WordPress plugins in use to identify and remove unnecessary or outdated plugins, reducing the attack surface. 5. Implement strict role-based access controls within WordPress to limit which users can manage sitewide notices. 6. Monitor logs for unusual access patterns or attempts to exploit the plugin’s functionality. 7. Educate site administrators about the risks of missing authorization vulnerabilities and encourage timely updates. 8. Consider isolating critical WordPress instances behind additional authentication layers or reverse proxies to add defense in depth.