CVE-2025-54679: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the WordPress plugin Neon Channel Product Customizer Free versions up to 2.0. The vulnerability was discovered by researcher theviper17 and was officially assigned CVE-2025-54679 on August 14, 2025. The vulnerability affects the access control security levels of the plugin, potentially allowing unauthorized actions (Patchstack).

The vulnerability has been classified as CWE-862 (Missing Authorization) and received a CVSS v3.1 Base Score of 7.5 (High). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impact on availability (Patchstack).

The vulnerability allows for arbitrary content deletion, which could enable malicious actors to delete various types of content from the affected website, including pictures, posts, or pages. The high CVSS score of 7.5 indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Users are advised to update to version 3.0 or later of the Neon Channel Product Customizer Free plugin to resolve the vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).