Cyber Resilience

CVE-2025-24607

Medium

Published: 14 February 2025

Published
14 February 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
EPSS Score 0.0017 38.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24607 is a medium-severity Missing Authorization (CWE-862) vulnerability in Northernbeacheswebsites Ideapush. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24607 is a missing authorization vulnerability (CWE-862) in the IdeaPush WordPress plugin from Northern Beaches Websites. The flaw enables exploitation of incorrectly configured access control security levels and affects all versions of IdeaPush up to and including 8.71.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as scored at CVSSv3.1 5.8 (S:C/C:N/I:L/A:N). Exploitation leads to low-impact integrity violations (I:L) across a changed scope (S:C), such as unauthorized modifications due to broken access controls.

The Patchstack advisory provides details on this broken access control issue in the WordPress IdeaPush plugin version 8.71: https://patchstack.com/database/Wordpress/Plugin/ideapush/vulnerability/wordpress-ideapush-plugin-8-71-broken-access-control-vulnerability?_s_id=cve. Security practitioners should consult it for recommended patches or mitigations.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IdeaPush: from n/a through <= 8.71.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a missing authorization/broken access control flaw in a public-facing WordPress plugin, directly enabling remote unauthenticated exploitation over the network with no user interaction, which maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

northernbeacheswebsites
ideapush
≤ 8.73

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates enforcement mechanisms for approved authorizations, preventing unauthorized modifications from missing authorization checks in the IdeaPush plugin.

prevent

Requires timely remediation of identified flaws, directly addressing the missing authorization vulnerability by patching the affected plugin versions up to 8.71.

prevent

Enforces least privilege to restrict capabilities, limiting potential damage from exploitation of broken access controls even if authorization is bypassed.

References