CVE-2025-39545: 
WordPress vulnerability analysis and mitigation

The Missing Authorization vulnerability (CVE-2025-39545) affects the WordPress REST API Authentication plugin versions through 3.6.3. The vulnerability was discovered by researcher chuck and publicly disclosed on April 16, 2025. This security issue is present in the miniOrange WordPress REST API Authentication plugin and allows exploiting incorrectly configured access control security levels (NVD, Patchstack).

The vulnerability stems from a missing capability check in the moapiauthcloseadminnotices() function. It has been assigned CWE-862 (Missing Authorization) and received a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The vulnerability requires an authenticated user with at least Subscriber-level privileges to exploit (WPScan, [Patchstack](https://patchstack.com/database/wordpress/plugin/wp-rest-api-authentication/vulnerability/wordpress-wordpress-rest-api-authentication-3-6-3-settings-change-vulnerability?s_id=cve)).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify option values to the current time on the WordPress site. This can be exploited to create errors that could lead to denial of service for legitimate users or potentially enable unauthorized changes to registration settings (WPScan).

The vulnerability has been fixed in version 3.6.4 of the WordPress REST API Authentication plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).