CVE-2025-49431: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49431) was discovered in the Gnuget MF Plus WPML WordPress plugin affecting versions through 1.1. The vulnerability was initially reported by researcher Mika on April 29, 2025, and was publicly disclosed on July 3, 2025 (Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The issue allows for exploiting incorrectly configured access control security levels and can be triggered by unauthenticated users (NVD, Patchstack).

The vulnerability allows attackers to make unauthorized settings changes to the affected WordPress installations. The CVSS score indicates that while there is no impact on confidentiality, there are low impacts on both integrity and availability of the system (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch until an official fix becomes available (Patchstack).