CVE-2025-49268: 
WordPress vulnerability analysis and mitigation

CVE-2025-49268 is a Missing Authorization vulnerability discovered in Soft8Soft LLC Verge3D WordPress plugin that allows exploiting incorrectly configured access control security levels. The vulnerability affects Verge3D versions through 4.9.4 and was disclosed on June 6, 2025 (NVD, CVE).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability stems from missing authorization checks that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has a low severity impact and allows unauthorized access to certain functions within the Verge3D plugin. The CVSS score indicates that while the vulnerability can be exploited remotely with low complexity and requires no privileges or user interaction, it only results in low confidentiality impact with no effect on integrity or availability (Patchstack).

The vulnerability has been fixed in Verge3D version 4.9.5. Users are recommended to update to version 4.9.5 or later to remove the vulnerability (Patchstack).