CVE-2025-22722: 
WordPress vulnerability analysis and mitigation

The Widget Options plugin for WordPress contains a Missing Authorization vulnerability (CVE-2025-22722) discovered in versions up to and including 4.0.8. The vulnerability was publicly disclosed on January 15, 2025, and was identified by security researcher Trương Hữu Phúc (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the widgetoptsajaxhiderating() function. It has been assigned a CVSS score of 4.3 (Medium) and is classified under CWE-862. The issue falls under the OWASP Top 10 category A5: Broken Access Control (WPScan, [Patchstack](https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-0-8-broken-access-control-to-notice-dimissal-vulnerability?s_id=cve)).

The vulnerability allows authenticated attackers with subscriber-level access and above to dismiss ratings notices without proper authorization. While the severity is considered low, it represents a broken access control issue that could lead to unprivileged users executing higher privileged actions (Patchstack).

The vulnerability has been fixed in Widget Options version 4.0.9. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).