CVE-2025-23771: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-23771 is a Missing Authorization vulnerability discovered in the WordPress plugin Push Notification for Post and BuddyPress versions 2.11 and below. The vulnerability was first reported on November 28, 2024, and was publicly disclosed on January 16, 2025. This security issue affects the plugin developed by Muralidharan Ramasamy and allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability has been assigned a CVSS score of 6.5 (Medium severity) and is classified under the OWASP Top 10 category A1: Broken Access Control. The security issue specifically relates to settings change capabilities, allowing unauthenticated users to modify plugin settings (Patchstack).

The vulnerability enables unauthorized users to modify plugin settings, which could potentially compromise the security and functionality of affected WordPress installations. The issue is considered moderately dangerous and is expected to become actively exploited (Patchstack).

Users are strongly advised to update to version 2.12 or later of the Push Notification for Post and BuddyPress plugin, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).