WordPress REST API Authentication < 3.6.4 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update | CVE 2025-39545 | Plugin Vulnerabilities

Description

The WordPress REST API Authentication plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the mo_api_auth_close_admin_notices() function in all versions up to, and including, 3.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to the current time on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.

Affects Plugins

wp-rest-api-authentication

Fixed in 3.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c02c824a-dc6e-4329-8e1b-0519b6c4e4c0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

chuck

Verified

No

WPVDB ID

f154880a-c9c7-4f73-b215-f4073308a793

Timeline

Publicly Published

2025-04-16 (about 10 months ago)

Added

2025-04-22 (about 10 months ago)

Last Updated

2025-04-22 (about 10 months ago)

Other

Published

Title

Published

2022-11-21

Title

WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion

Published

2024-01-05

Title

Booster Elite for WooCommerce < 7.1.2 - Missing Authorization to Order Information Disclosure

Published

2025-10-14

Title

Oceanpayment CreditCard Gateway <= 6.0 - Unauthenticated Order Status Update

Published

2024-04-25

Title

Client Dash <= 2.2.1 - Missing Authorization

Published

2024-10-10

Title

Hunk Companion < 1.8.5 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation