CVE-2025-23929: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in wishfulthemes Email Capture & Lead Generation WordPress plugin, tracked as CVE-2025-23929. The vulnerability affects versions through 1.0.2 and allows exploiting incorrectly configured access control security levels. The issue was discovered by Abdi Pranata and was publicly disclosed on January 16, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and low privileges required. The issue specifically relates to missing authorization checks that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has a low severity impact and is considered unlikely to be exploited. It primarily affects the access control mechanisms of the plugin, potentially allowing subscriber-level users to perform unauthorized actions (Patchstack).

Currently, no official fix is available for this vulnerability. The issue affects versions up to 1.0.2, and users are advised to monitor for updates from the plugin developer (Patchstack).