CVE-2025-49990: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49990) was discovered in ContentStudio WordPress plugin versions through 1.3.4. The vulnerability was identified on June 19, 2025, and publicly disclosed on June 20, 2025. This security issue affects the ContentStudio plugin's access control mechanism, allowing functionality to be accessed without proper Access Control List (ACL) constraints (NVD, Wiz).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N indicates that the vulnerability is network accessible, requires low attack complexity, needs no privileges, and requires no user interaction (NVD, Patchstack).

The vulnerability enables unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as low severity, it represents a security weakness in the access control mechanism of the application (Wiz, Patchstack).

Currently, there is no official fix available for this vulnerability. Given the low severity impact, immediate patching has been deemed unnecessary (Patchstack).