CVE-2025-31848: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WPFactory WordPress Adverts Plugin affecting versions through 1.4. The vulnerability was reported on November 26, 2024, and publicly disclosed on April 1, 2025. This security issue allows for exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability stems from a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions. The impact is considered low severity and is unlikely to be exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the low severity impact and unlikely exploitation potential, virtual patching has been deemed unnecessary (Patchstack).