CVE-2025-24607
Published: 14 February 2025
Summary
CVE-2025-24607 is a medium-severity Missing Authorization (CWE-862) vulnerability in Northernbeacheswebsites Ideapush. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24607 is a missing authorization vulnerability (CWE-862) in the IdeaPush WordPress plugin from Northern Beaches Websites. The flaw enables exploitation of incorrectly configured access control security levels and affects all versions of IdeaPush up to and including 8.71.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as scored at CVSSv3.1 5.8 (S:C/C:N/I:L/A:N). Exploitation leads to low-impact integrity violations (I:L) across a changed scope (S:C), such as unauthorized modifications due to broken access controls.
The Patchstack advisory provides details on this broken access control issue in the WordPress IdeaPush plugin version 8.71: https://patchstack.com/database/Wordpress/Plugin/ideapush/vulnerability/wordpress-ideapush-plugin-8-71-broken-access-control-vulnerability?_s_id=cve. Security practitioners should consult it for recommended patches or mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3811
Vulnerability details
Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IdeaPush: from n/a through <= 8.71.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization/broken access control flaw in a public-facing WordPress plugin, directly enabling remote unauthenticated exploitation over the network with no user interaction, which maps to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement mechanisms for approved authorizations, preventing unauthorized modifications from missing authorization checks in the IdeaPush plugin.
Requires timely remediation of identified flaws, directly addressing the missing authorization vulnerability by patching the affected plugin versions up to 8.71.
Enforces least privilege to restrict capabilities, limiting potential damage from exploitation of broken access controls even if authorization is bypassed.