CVE-2025-54714: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the Zephyr Project Manager WordPress plugin, identified as CVE-2025-54714. The vulnerability affects all versions up to and including 3.3.201, and was disclosed on August 26, 2025. The security flaw is related to incorrectly configured access control security levels in the plugin (Rapid7, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 Base Score of 7.1 (HIGH). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability stems from a missing capability check on a specific function within the plugin (NVD, Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions. This broken access control issue could lead to unprivileged users executing certain higher privileged actions within the WordPress installation (Rapid7, Patchstack).

Users are advised to update to version 3.3.202 or later to resolve the vulnerability. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the fixed version can be installed (Patchstack).