CVE-2025-49884: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49884) was discovered in the WordPress plugin Internal Linking of Related Contents, affecting versions up to and including 1.1.8. The vulnerability was reported on May 29, 2025, and publicly disclosed on July 8, 2025. The issue stems from missing capability checks in the plugin's functionality, which could allow unauthorized access to certain features (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The security flaw allows unauthenticated attackers to perform unauthorized actions due to incorrectly configured access control security levels (NVD, Rapid7).

The vulnerability enables unauthenticated attackers to perform unauthorized actions within the WordPress installation. The CVSS scoring indicates that while there is no impact on confidentiality, there are low impacts on both integrity and availability of the affected system (Patchstack).

The vulnerability has been patched in version 1.1.9 of the Internal Linking of Related Contents plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).