CVE-2025-27294: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the WordPress plugin WP-Asambleas (versions through 2.85.0). The vulnerability, tracked as CVE-2025-27294, was discovered and disclosed on February 24, 2025, allowing potential exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability has been classified as CWE-862 (Missing Authorization) and received a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges, requires no user interaction, has a limited scope, and can potentially impact both confidentiality and integrity at a low level, with no impact on availability (NVD).

The vulnerability is categorized as a broken access control issue, which could potentially allow unprivileged users to execute certain higher privileged actions. The impact has been assessed as having low severity, though specific impacts may vary case by case (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue was initially reported on February 9, 2025, and published by Patchstack on February 24, 2025 (Patchstack).