Cyber Resilience

CVE-2025-64236

Critical

Published: 18 December 2025

Published
18 December 2025
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64236 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-64236 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Tuturn WordPress plugin developed by AmentoTech. This flaw enables authentication abuse and affects all versions of Tuturn prior to 3.6. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise without requiring user privileges or interaction.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity. Successful exploitation allows the attacker to bypass authentication mechanisms, potentially gaining unauthorized access to the plugin's functionality and, by extension, the underlying WordPress site. This could result in high-impact confidentiality, integrity, and availability violations, such as data exfiltration, modification of site content, or denial of service.

Patchstack's advisory for the Tuturn plugin highlights this as a broken authentication vulnerability fixed in version 3.6. Security practitioners should urge users to update to Tuturn 3.6 or later to mitigate the issue, as no other workarounds are specified in the available references.

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application to gain unauthenticated administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64281Shared CWE-288
CVE-2025-62064Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2025-24472Shared CWE-288
CVE-2025-13539Shared CWE-288
CVE-2026-25406Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2025-63217Shared CWE-288
CVE-2026-31271Shared CWE-288
CVE-2025-5397Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly identifies and permits only specific actions without identification or authentication, directly countering authentication bypass via alternate paths or channels in the Tuturn plugin.

prevent

AC-3 enforces approved authorizations for access to system resources, preventing unauthorized access through flawed authentication enforcement in the plugin.

prevent

SI-2 requires timely remediation of flaws, such as updating the Tuturn plugin to version 3.6 or later to eliminate the authentication bypass vulnerability.

References