CVE-2025-49246: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the cmoreira Testimonials Showcase WordPress plugin, identified as CVE-2025-49246. The vulnerability affects versions through 1.9.16 and allows exploiting incorrectly configured access control security levels. The issue was discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on June 5, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that it requires network access and low privileges to exploit, with no user interaction needed. The impact is primarily on integrity, with no direct effect on confidentiality or availability (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as having a low severity impact, it represents a security risk through broken access control mechanisms (Patchstack).

The vulnerability has been fixed in version 1.9.18 of the Testimonials Showcase plugin. Users are advised to update to version 1.9.18 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).