CVE-2025-24590: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-24590) was discovered in Haptiq picu – Online Photo Proofing Gallery through version 2.4.0. The vulnerability allows exploiting incorrectly configured access control security levels. The issue was disclosed on December 22, 2024, and affects the WordPress plugin picu – Online Photo Proofing Gallery up to version 2.4.0 (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 score of 5.3 (Medium). The technical assessment indicates it stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. The vulnerability is tracked under CWE-862 (Missing Authorization) (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It could allow unprivileged users to perform actions that should be restricted to users with higher privilege levels (Patchstack).

The vulnerability has been fixed in version 2.4.1 of the plugin. Users are advised to update to version 2.4.1 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version is completed (Patchstack).