CVE-2025-8423 identifies a missing authorization vulnerability (CWE-862) in the My WP Translate plugin developed by mythemeshop for WordPress. The vulnerability affects all versions up to and including 1.1. Specifically, the functions mtswpt_remove_plugin() and ajax_update_export_code() lack proper capability checks, allowing authenticated users with minimal privileges (Subscriber-level or above) to bypass authorization controls. This enables them to read and delete arbitrary WordPress options, which are critical for site configuration and operation. The absence of these checks means that attackers can manipulate plugin or site settings, potentially causing denial of service conditions by corrupting or removing essential options. The vulnerability is remotely exploitable over the network without requiring user interaction beyond login. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), privileges required low (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2025-8423 is unauthorized modification and deletion of WordPress options by low-privileged authenticated users. This can lead to denial of service by disrupting site functionality or corrupting configuration data. While confidentiality is not directly impacted, the integrity and availability of the affected WordPress site are at risk. Organizations running websites with the My WP Translate plugin installed are vulnerable to internal or external attackers who can gain Subscriber-level access, which is a relatively low privilege level often granted to registered users or contributors. This could be exploited to disrupt business operations, degrade user experience, or damage reputation. The vulnerability affects a broad range of WordPress sites globally, especially those relying on this plugin for translation management. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

To mitigate CVE-2025-8423, organizations should first check if an updated version of the My WP Translate plugin is available that includes proper authorization checks and apply it immediately. In the absence of an official patch, administrators should consider temporarily disabling or uninstalling the plugin to prevent exploitation. Restricting Subscriber-level user registrations or tightening user role permissions can reduce the attack surface. Implementing web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the vulnerable plugin functions may provide interim protection. Regularly auditing user accounts and monitoring logs for unusual activity related to plugin functions is recommended. Additionally, site owners should ensure that backups are current and tested to enable recovery in case of denial of service or data corruption. Engaging with the plugin vendor for updates and following WordPress security best practices will further reduce risk.