CVE-2025-3702: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-3702) was discovered in the Melapress File Monitor WordPress plugin, affecting all versions before 2.2.0. The vulnerability was initially reported by Mika on November 20, 2024, and was publicly disclosed on July 3, 2025. The issue stems from incorrectly configured access control security levels in the plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 score of 5.4 (Medium). The technical nature of the vulnerability involves a missing authorization, authentication, or nonce token check in a function that could allow unprivileged users to execute higher privileged actions. The vulnerability requires an authenticated user with at least Subscriber-level access to exploit (Patchstack, Rapid7).

The vulnerability is considered moderately dangerous and is expected to become exploited. When successfully exploited, it allows authenticated attackers with Subscriber-level access to perform unauthorized actions, potentially compromising the security of the WordPress installation (Patchstack).

Users are advised to update to version 2.2.0 or later of the Melapress File Monitor plugin to resolve the vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).