CVE-2025-25167 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the BookPress WordPress plugin that allows attackers to bypass access controls. Attackers could potentially modify book content, settings, or user data without proper permissions. All WordPress sites running BookPress versions up to 1.2.7 are affected.

💻 Affected Systems

Products:

BookPress – For Book Authors WordPress plugin

Versions: n/a through 1.2.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Bookpress by Blackandwhitedigital

View all CVEs affecting Bookpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could modify or delete book content, change plugin settings, or potentially escalate privileges to compromise the entire WordPress site.

🟠

Likely Case

Authenticated users with limited permissions could perform actions reserved for administrators, such as modifying book content or changing plugin configurations.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized administrators could perform administrative actions on book content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of WordPress plugin structure and access control mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.2.7

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find BookPress – For Book Authors
4. Click 'Update Now' if available
5. If no update available, deactivate and delete the plugin
6. Install latest version from WordPress repository

🔧 Temporary Workarounds

Disable BookPress Plugin

WordPress

Temporarily deactivate the vulnerable plugin until patched version is available

wp plugin deactivate book-press

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable WordPress security plugins that add additional access control layers and monitor for unauthorized actions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → BookPress – For Book Authors version number

Check Version:

wp plugin get book-press --field=version

Verify Fix Applied:

Verify plugin version is 1.2.8 or higher, or plugin is deactivated/removed

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to BookPress admin endpoints
Multiple failed authorization attempts on book-related endpoints
Unexpected modifications to book content or settings

Network Indicators:

Unusual traffic patterns to /wp-admin/admin-ajax.php with bookpress parameters
Requests to bookpress endpoints from unauthorized IP addresses

SIEM Query:

source="wordpress.log" AND ("bookpress" OR "book-press") AND ("admin" OR "ajax") AND status=200 AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-25167

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-862

EPSS Score: 0.2% exploit probability (41.7th percentile)

Published: February 7, 2025

Last Updated: February 11, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25167, you might also want to check these: