CVE-2025-50028: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-50028) was discovered in CodeSolz Ultimate Push Notifications WordPress plugin affecting versions through 1.1.9. The vulnerability was disclosed on July 16, 2025, and involves incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating that it can be exploited over the network with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization checks. This broken access control issue could lead to unauthorized access and potential manipulation of plugin functionality (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately (Patchstack).