CVE-2025-28985: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the Elastic Email Subscribe Form WordPress plugin affecting versions up to 1.2.2. The vulnerability was discovered by researcher Hiro and was publicly disclosed on June 5, 2025. The issue received the identifier CVE-2025-28985 and relates to incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 5.4 (Medium). The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network accessibility, low attack complexity, and requiring low privileges to exploit (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The impact is considered to have low severity but could affect the integrity and availability of the system (Patchstack).

No official fix is available for this vulnerability. The recommended mitigation is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive further updates or security fixes (Patchstack).