CVE-2025-62999 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Litho Addons WordPress plugin that allows attackers to bypass access controls. It affects all versions up to and including 3.4, potentially enabling unauthorized access to plugin functionality.

💻 Affected Systems

Products:

Litho Addons WordPress Plugin

Versions: All versions through 3.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations using the Litho Addons plugin. No specific OS requirements.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings, inject malicious content, or gain administrative privileges on affected WordPress sites.

🟠

Likely Case

Unauthorized users could access restricted plugin features, potentially modifying site appearance or functionality.

🟢

If Mitigated

With proper access controls and authentication, impact would be limited to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some WordPress access but not necessarily admin privileges. Attack complexity is low once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.4

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Litho Addons
4. Click 'Update Now' if available
5. If no update available, deactivate and remove the plugin

🔧 Temporary Workarounds

Temporary Access Restriction

all

Restrict access to WordPress admin area using IP whitelisting or additional authentication

🧯 If You Can't Patch

Deactivate and remove the Litho Addons plugin immediately
Implement web application firewall rules to block suspicious access patterns to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Litho Addons version 3.4 or earlier

Check Version:

wp plugin list --name=litho-addons --field=version

Verify Fix Applied:

Verify plugin version is higher than 3.4 or plugin is completely removed

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to litho-addons endpoints in WordPress logs
Unusual plugin configuration changes

Network Indicators:

HTTP requests to /wp-content/plugins/litho-addons/ with non-admin user agents

SIEM Query:

source="wordpress.log" AND "litho-addons" AND (status=403 OR status=200) AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-62999

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (9th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62999, you might also want to check these: