CVE-2025-69188
Published: 22 January 2026
Summary
CVE-2025-69188 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-69188 is a missing authorization vulnerability, mapped to CWE-862, in the fitness-trainer WordPress plugin developed by e-plugins. The flaw arises from exploiting incorrectly configured access control security levels and affects the plugin from unknown initial versions through 1.7.1.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated attackers can achieve limited impacts on confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve provides details on this broken access control issue in the WordPress Fitness Trainer plugin version 1.7.1, including recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3875
Vulnerability details
Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects fitness-trainer: from n/a through <= 1.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on all plugin functions, blocking the unauthenticated access that the missing-authorization flaw permits.
Limits privileges granted to any account or unauthenticated context, reducing the impact even if access-control checks are absent or misconfigured.
Requires prompt application of the vendor patch that corrects the broken access-control logic in fitness-trainer <= 1.7.1.