CVE-2025-25167
Published: 07 February 2025
Summary
CVE-2025-25167 is a high-severity Missing Authorization (CWE-862) vulnerability in Blackandwhitedigital Bookpress. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-25167 is a missing authorization vulnerability (CWE-862) in the BookPress – For Book Authors WordPress plugin, affecting all versions up to and including 1.2.7. The flaw enables exploitation of incorrectly configured access control security levels, as documented in the CVE description published on 2025-02-07. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts alongside high availability disruption, such as denial-of-service effects, while confidentiality remains unaffected due to the unchanged scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in version 1.2.7 and guidance for mitigation, including available patches or updates for the plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4070
Vulnerability details
Missing Authorization vulnerability in Black and White BookPress – For Book Authors book-press allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization (broken access control) vulnerability in a public-facing WordPress plugin enables unauthenticated remote exploitation over the network, directly mapping to T1190 Exploit Public-Facing Application. Resulting integrity and availability impacts (e.g., DoS) stem from this initial access vector.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the specific flaw in the BookPress plugin through patching, directly eliminating the missing authorization vulnerability.
Enforces approved authorizations for logical access to system resources, preventing unauthorized exploitation of the plugin's missing or incorrect access controls by unauthenticated attackers.
Controls access to and protects publicly accessible content on WordPress sites, mitigating unauthenticated remote exploitation of the BookPress plugin's broken access control security levels.