CVE-2025-49248: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WordPress Team Showcase plugin affecting versions prior to 25.05.13. The vulnerability was identified on April 21, 2025, and publicly disclosed on June 5, 2025. The security flaw allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 score of 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is tracked as CWE-862 (Missing Authorization) and requires subscriber-level privileges to exploit (Patchstack).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as having a low severity impact, it represents a security risk through broken access control mechanisms (Patchstack).

The vulnerability has been fixed in version 25.05.13 of the Team Showcase plugin. Users are advised to update to version 25.05.13 or later to remediate the security issue. Patchstack users have the option to enable auto-update functionality for vulnerable plugins (Patchstack).