CVE-2025-23958: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-23958) was discovered in the FADI MED Editor Wysiwyg Background Color WordPress plugin. The vulnerability affects all versions through 1.0 and was first reported on December 30, 2024, with public disclosure occurring on January 16, 2025. The vulnerability allows exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD, Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. This could lead to unauthorized access and potential manipulation of system settings (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).