Cyber Resilience

CVE-2025-25167

High

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25167 is a high-severity Missing Authorization (CWE-862) vulnerability in Blackandwhitedigital Bookpress. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-25167 is a missing authorization vulnerability (CWE-862) in the BookPress – For Book Authors WordPress plugin, affecting all versions up to and including 1.2.7. The flaw enables exploitation of incorrectly configured access control security levels, as documented in the CVE description published on 2025-02-07. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts alongside high availability disruption, such as denial-of-service effects, while confidentiality remains unaffected due to the unchanged scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in version 1.2.7 and guidance for mitigation, including available patches or updates for the plugin.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Black and White BookPress – For Book Authors book-press allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The missing authorization (broken access control) vulnerability in a public-facing WordPress plugin enables unauthenticated remote exploitation over the network, directly mapping to T1190 Exploit Public-Facing Application. Resulting integrity and availability impacts (e.g., DoS) stem from this initial access vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25168Same product: Blackandwhitedigital Bookpress
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862

Affected Assets

blackandwhitedigital
bookpress
≤ 1.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific flaw in the BookPress plugin through patching, directly eliminating the missing authorization vulnerability.

prevent

Enforces approved authorizations for logical access to system resources, preventing unauthorized exploitation of the plugin's missing or incorrect access controls by unauthenticated attackers.

prevent

Controls access to and protects publicly accessible content on WordPress sites, mitigating unauthenticated remote exploitation of the BookPress plugin's broken access control security levels.

References