CVE-2025-31789: 
WordPress vulnerability analysis and mitigation

CVE-2025-31789 is a Missing Authorization vulnerability discovered in Matat Technologies TextMe SMS WordPress plugin affecting versions up to and including 1.9.1. The vulnerability was disclosed on April 3, 2025, and is classified as a broken access control issue (NVD, Patchstack).

The vulnerability is categorized as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and requiring low privileges with no user interaction (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions due to missing capability checks on certain functions. This represents a significant security risk as it bypasses intended access control mechanisms (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks. Users are advised to either implement the virtual patch or consider removing and replacing the software, as it appears to be abandoned with no updates for over a year (Patchstack).