CVE-2025-30821: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in SNORDIAN's H5PxAPIkatchu WordPress plugin, affecting versions up to 0.4.14. The vulnerability was discovered by Trương Hữu Phúc and publicly disclosed on March 27, 2025. This security issue allows accessing functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating that it can be exploited over the network, requires low attack complexity, and needs no privileges or user interaction (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as having a low severity impact, it could potentially compromise the security of affected WordPress installations (Patchstack).

The vulnerability has been fixed in version 0.4.15 of the SNORDIAN's H5PxAPIkatchu plugin. Users are advised to update to version 0.4.15 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).