CVE-2025-60094
📋 TL;DR
This CVE describes a missing authorization vulnerability in the Stackable WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects all WordPress sites running Stackable plugin versions up to 3.18.1, potentially allowing unauthorized access to restricted functionality.
💻 Affected Systems
- Stackable - Ultimate Gutenberg Blocks WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain administrative privileges, modify site content, inject malicious code, or access sensitive data depending on the specific broken access control points.
Likely Case
Unauthorized users could perform actions intended only for authenticated users or specific roles, such as modifying content, changing settings, or accessing restricted data.
If Mitigated
With proper role-based access controls and authentication checks, impact would be limited to minor functionality abuse.
🎯 Exploit Status
Exploitation requires understanding of WordPress role structures and plugin functionality. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.18.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Stackable plugin and click 'Update Now'. 4. Verify update to version 3.18.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Stackable plugin until patched
Restrict plugin access
allUse WordPress role management plugins to restrict access to Stackable functionality
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the WordPress admin interface
- Enable detailed logging and monitoring for unauthorized access attempts to Stackable functionality
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins, find Stackable and check version numberCheck Version:
wp plugin list --name=stackable --field=versionVerify Fix Applied:
Verify Stackable plugin version is 3.18.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Stackable-specific endpoints
- User role escalation attempts
- Unusual plugin function calls from non-admin users
Network Indicators:
- HTTP requests to Stackable admin endpoints from unauthorized IPs
- POST requests to plugin-specific endpoints without proper authentication
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND action CONTAINS "stackable") AND user_role!="administrator"