CVE-2025-22561: 
WordPress vulnerability analysis and mitigation

The Title Experiments Free WordPress plugin contains a Missing Authorization vulnerability (CVE-2025-22561) discovered by Kévin Mosbahi (Mika) and disclosed on January 7, 2025. The vulnerability affects all versions of the plugin up to and including version 9.0.4, with no known fix currently available (WPScan, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, resulting from a missing capability check on a function. It has received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (Patchstack, WPScan).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the WordPress installation (WPScan).

Currently, there is no official fix available from the plugin developer. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative plugins (Patchstack).