CVE-2025-23963: 
WordPress vulnerability analysis and mitigation

The Mark Posts WordPress plugin versions 2.2.4 and below contain a Missing Authorization vulnerability (CVE-2025-23963), which was discovered and publicly disclosed on January 16, 2025. The vulnerability affects the plugin's access control mechanisms and impacts WordPress installations using the affected versions (WPScan, Patchstack).

The vulnerability stems from a missing capability check on a function within the Mark Posts plugin, classified as a Broken Access Control issue (CWE-862). It has received a CVSS score of 4.3 (medium) according to WPScan, while Patchstack rates it at 5.4 (low). The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (WPScan, Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions within the WordPress installation. This broken access control issue could potentially lead to unprivileged users executing certain higher privileged actions (Patchstack).

The vulnerability has been fixed in version 2.2.5 of the Mark Posts plugin. Website administrators are advised to update to version 2.2.5 or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).