CVE-2025-49986: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49986) was discovered in thanhtungtnt Video List Manager WordPress plugin affecting versions through 1.7. The vulnerability was discovered by Chu The Anh (Blue Rock) on May 8, 2025, and was publicly disclosed on June 19, 2025. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) (Wiz, NVD).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where the plugin fails to properly implement authorization checks, allowing functionality to be accessed without proper ACL constraints. The vulnerability has received a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (Patchstack).

The vulnerability allows unauthenticated users to access functionality that should be restricted by access control lists (ACLs). This could potentially lead to unauthorized actions being performed within the WordPress installation (Patchstack).

No official fix is available as the software appears to be abandoned, having not received updates for over a year. The recommended mitigation is to remove and replace the Video List Manager plugin with an alternative solution (Patchstack).