CVE-2025-26968: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WordPress plugin Cloak Front End Email versions up to 1.9.5. The vulnerability was reported on March 29, 2025, and publicly disclosed on April 17, 2025. This security issue allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 7.5 (High). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), with high impact on integrity (I:H) but no impact on confidentiality (C:N) or availability (A:N) (Patchstack).

The vulnerability is considered highly dangerous and expected to become mass exploited. It allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks (Patchstack).

The vulnerability has been fixed in version 1.9.6 of the Cloak Front End Email plugin. Users are strongly advised to update to this version immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).