CVE-2025-22592
Published: 07 January 2025
Summary
CVE-2025-22592 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-22592 is a missing authorization vulnerability, classified under CWE-862, in the 1003 Mortgage Application WordPress plugin developed by 8blocks. The flaw allows attackers to access functionality not properly constrained by access control lists (ACLs). It affects the plugin from unknown initial versions through 1.87 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation enables high-impact confidentiality violations, such as unauthorized access to sensitive data within the plugin's functionality.
Patchstack has documented the issue in its vulnerability database for the WordPress 1003 Mortgage Application plugin version 1.87, available at https://patchstack.com/database/Wordpress/Plugin/1003-mortgage-application/vulnerability/wordpress-1003-mortgage-application-plugin-1-87-broken-access-control-vulnerability-2?_s_id=cve. Security practitioners should review this advisory for recommended mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2867
Vulnerability details
Missing Authorization vulnerability in 8blocks 1003 Mortgage Application 1003-mortgage-application allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 1003 Mortgage Application: from n/a through <= 1.87.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the application for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing exploitation of functionality not constrained by ACLs in the plugin.
Implements least privilege to restrict unauthenticated attackers from accessing sensitive mortgage application functionality.
Authorizes access to resources based on ACLs or attributes, mitigating missing authorization decisions in the vulnerable plugin endpoints.