CVE-2025-8423 is a medium-severity vulnerability affecting the My WP Translate plugin developed by mythemeshop for WordPress. The vulnerability arises from a missing authorization check (CWE-862) in two key functions: mtswpt_remove_plugin() and ajax_update_export_code(). These functions lack proper capability verification, allowing authenticated users with Subscriber-level privileges or higher to perform unauthorized actions. Specifically, attackers can read and delete arbitrary WordPress options, which are critical configuration settings stored in the WordPress database. The unauthorized deletion or modification of these options can disrupt the normal operation of the WordPress site, potentially leading to denial of service (DoS) conditions. The vulnerability affects all versions of the plugin up to and including version 1.1. The CVSS 3.1 base score is 5.4, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring low privileges (authenticated Subscriber or higher), no user interaction, and impacting availability and integrity but not confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because Subscriber-level access is commonly granted to registered users on many WordPress sites, meaning an attacker does not need administrative privileges to exploit it. The ability to delete or modify WordPress options can cause site instability, loss of functionality, or downtime, impacting website availability and integrity of configuration data.

For European organizations using WordPress sites with the My WP Translate plugin, this vulnerability poses a risk of service disruption and potential damage to site configuration integrity. Many European businesses, government agencies, and NGOs rely on WordPress for their web presence, and the ability for low-privileged users to delete critical options could lead to denial of service, loss of trust, and operational interruptions. This is particularly impactful for organizations with public-facing websites or those that use WordPress for internal portals where Subscriber-level accounts are common. The vulnerability does not directly expose confidential data but compromises site availability and integrity, which can indirectly affect business continuity and reputation. Given the widespread use of WordPress in Europe and the common practice of allowing user registrations with Subscriber roles, the threat surface is significant. Additionally, organizations in regulated sectors (e.g., finance, healthcare) may face compliance risks if website availability or integrity is compromised. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially as exploit code could be developed given the low complexity of exploitation.

European organizations should immediately audit their WordPress installations to identify the presence of the My WP Translate plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or removing the plugin if it is not essential. If the plugin is required, restrict Subscriber-level user registrations or elevate the minimum required user role for sensitive actions to prevent exploitation. Implement additional access control measures such as web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable functions. Regularly back up WordPress options and site configurations to enable rapid restoration in case of unauthorized changes. Monitor logs for unusual activity from Subscriber accounts, including attempts to invoke plugin-specific AJAX actions. Educate site administrators about the risk and encourage prompt updates once a patch becomes available. Finally, consider applying the principle of least privilege by reviewing and minimizing user roles and capabilities across the WordPress environment.