CVE-2025-49857: 
WordPress vulnerability analysis and mitigation

CVE-2025-49857 is a Missing Authorization vulnerability discovered in WPExperts.io myCred WordPress plugin affecting versions through 2.9.4.2. The vulnerability was discovered by Nguyen Tran Tuan Dung (domiee13) on April 24, 2025, and was publicly disclosed on June 12, 2025. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) (Wiz Database, NVD Database).

The vulnerability is classified as a Broken Access Control issue (CWE-862) that allows exploiting incorrectly configured access control security levels. It has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that while the vulnerability requires low attack complexity and no user interaction, it has limited impact on integrity with no direct effect on confidentiality or availability (Patchstack Database).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization checks. According to the CVSS score, while the vulnerability requires low attack complexity and no user interaction, it has limited impact on integrity with no direct effect on confidentiality or availability (Wiz Database).

The vulnerability has been fixed in version 2.9.4.3 of the myCred plugin. Users are advised to update to version 2.9.4.3 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack Database).