CVE-2025-55716: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-55716) was discovered in VeronaLabs WP Statistics plugin for WordPress, affecting versions up to and including 14.15. The vulnerability was disclosed on August 14, 2025, and allows authenticated users with Subscriber-level access to exploit incorrectly configured access control security levels (Rapid7, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The attack vector is network-based, with low attack complexity, requiring low privileges and no user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (AttackerKB).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the WP Statistics plugin. The impact is primarily focused on integrity, with potential for unauthorized modifications to plugin functionality (Rapid7).

The vulnerability has been patched in version 14.15.2 of the WP Statistics plugin. Users are advised to update to this version or later to remediate the security issue. The fix addresses the broken access control vulnerability by implementing proper authorization checks (Patchstack).