CVE-2025-22787: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in bPlugins LLC Button Block WordPress plugin, tracked as CVE-2025-22787. The vulnerability affects versions through 1.1.5 of the Button Block plugin and involves functionality not properly constrained by Access Control Lists (ACLs). The issue was discovered by security researcher Khalid Yusuf and was publicly disclosed on January 13, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) related to missing authorization checks. It received varying CVSS scores, with NIST assigning a High severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), while the original reporter Patchstack assessed it as Medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability could allow an unprivileged user to execute certain higher privileged actions due to the missing authorization checks. The impact assessment varies between sources, with NIST indicating potential high impact on confidentiality, integrity, and availability, while Patchstack suggests a lower impact limited primarily to confidentiality (Patchstack).

The vulnerability has been fixed in version 1.1.6 of the Button Block plugin. Users are advised to update to version 1.1.6 or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).