CVE-2025-32232: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in ERA404 StaffList plugin affecting versions through 3.2.6. The vulnerability was discovered by researcher Anhchangmutrang and was publicly disclosed on April 4, 2025. The issue has been assigned CVE-2025-32232 and relates to incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability has been classified as a Broken Access Control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to potentially execute higher privileged actions. The vulnerability has received a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue has been categorized under CWE-862 (Missing Authorization) (Patchstack, NVD).

The vulnerability has been assessed to have a low severity impact and is considered unlikely to be exploited. The CVSS score of 4.3 indicates a moderate level of risk, with potential impact primarily focused on integrity aspects of the system (Patchstack).

Currently, no official fix is available for this vulnerability. Given the low severity impact, virtual patching has been deemed unnecessary by security researchers (Patchstack).