CVE-2025-24693: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Yehi Advanced Notifications plugin for WordPress, affecting versions up to and including 1.2.7. The vulnerability was discovered by Kévin Mosbahi (Mika) and was publicly disclosed on January 24, 2025. This security issue has been assigned CVE-2025-24693 and allows exploiting incorrectly configured access control security levels (WPScan, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, resulting from a missing capability check on a function. It has received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (Patchstack, WPScan).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the WordPress installation. The severity is considered low to medium, with potential impacts limited to integrity-related concerns (WPScan, Patchstack).

The vulnerability has been fixed in version 1.2.8 of the Advanced Notifications plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).