CVE-2025-39513: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in ActiveDEMAND Online Agency Marketing Automation (version 0.2.46 and earlier). The vulnerability was disclosed on April 16, 2025, and is tracked as CVE-2025-39513. The issue allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs) (NVD, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) that stems from missing authorization checks. It has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating that it can be exploited over the network with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to the broken access control implementation. While specific details about the impact vary case by case, the CVSS scoring indicates potential availability impacts to the system (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects ActiveDEMAND versions up to and including 0.2.46 (Patchstack).

The vulnerability was initially reported by security researcher Trương Hữu Phúc on March 11, 2025, and was subsequently published by Patchstack on April 16, 2025 (Patchstack).