CVE-2025-67582 identifies a missing authorization vulnerability in the Wbcom Designs WordPress plugin 'lock-my-bp' up to version 2.1.1. This vulnerability arises from incorrectly configured access control security levels, allowing unauthenticated remote attackers to bypass authorization checks. Specifically, the flaw permits attackers to access certain data or functionality that should be restricted, impacting confidentiality but not integrity or availability. The vulnerability does not require any privileges or user interaction to exploit, making it accessible over the network. However, the scope is limited to data exposure rather than system compromise or denial of service. The CVSS 3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects a network attack vector with low attack complexity, no privileges or user interaction needed, and limited confidentiality impact. No public exploits or active exploitation have been reported to date. The vulnerability affects all versions up to 2.1.1, though the exact affected versions are not fully enumerated. The issue was published on December 9, 2025, and assigned by Patchstack. No official patches or mitigation links are currently provided, indicating that users should monitor vendor advisories closely. Given the plugin’s use in WordPress environments, the vulnerability primarily threatens websites using this plugin for business or community purposes.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality of data managed by the Wbcom Designs plugin. Organizations relying on this plugin for business processes, membership management, or community engagement could have sensitive information exposed to unauthorized parties. While the vulnerability does not allow system takeover or service disruption, unauthorized data access could lead to information leakage, reputational damage, or compliance issues under GDPR. The ease of exploitation without authentication increases risk, especially for publicly accessible websites. However, the absence of known exploits and limited impact on integrity and availability reduce the overall threat level. Organizations in sectors with high regulatory scrutiny or handling personal data are particularly vulnerable to the confidentiality breach. The impact is also influenced by the extent of plugin deployment within the organization’s web infrastructure.

1. Monitor Wbcom Designs vendor channels and Patchstack advisories for official patches addressing CVE-2025-67582 and apply them promptly upon release. 2. Conduct an immediate audit of access control configurations within the 'lock-my-bp' plugin settings to identify and remediate any misconfigurations. 3. Restrict public access to sensitive plugin functionality or data through web application firewalls (WAF) or server-level access controls until patches are applied. 4. Implement network-level monitoring and alerting for unusual access patterns targeting the plugin endpoints. 5. Review and tighten WordPress user roles and permissions to minimize exposure. 6. Consider temporary disabling or replacing the affected plugin if critical data exposure risk is unacceptable and no patch is available. 7. Educate site administrators about the vulnerability and encourage vigilance for suspicious activity. 8. Regularly back up website data to enable recovery in case of exploitation or related incidents.