CVE-2025-47471: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in EnvoThemes Envo Extra plugin versions through 1.9.9. The vulnerability was disclosed on May 7, 2025, and assigned CVE-2025-47471. This security issue affects the access control security levels in the WordPress plugin, potentially allowing unauthorized actions (NVD, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires low attack complexity and privileged access, with potential impact primarily on integrity (Patchstack).

The vulnerability is characterized as a broken access control issue that could allow an unprivileged user to execute certain higher privileged actions. The impact is considered low severity, though it represents a security risk through incorrectly configured access control security levels (Patchstack).

The vulnerability has been patched in version 1.9.10 of the Envo Extra plugin. Users are advised to update to version 1.9.10 or later to remediate the security issue. The fix addresses the broken access control vulnerability by implementing proper authorization checks (Patchstack).