CVE-2025-5812: 
WordPress vulnerability analysis and mitigation

The VG WORT METIS plugin for WordPress contains a vulnerability (CVE-2025-5812) related to unauthorized modification of data, discovered and disclosed on June 25, 2025. The vulnerability affects all versions up to and including 2.0.0. The issue stems from a missing capability check in the gutenbergsavepost() function, which allows authenticated users with Subscriber-level access or higher to modify limited post settings (NVD CVE, Wiz Analysis).

The vulnerability is classified as a Missing Authorization weakness (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), affecting only the local system (S:U), with no impact on confidentiality (C:N), low impact on integrity (I:L), and no impact on availability (A:N) (NVD CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to update limited post settings in WordPress installations using the VG WORT METIS plugin. This unauthorized modification capability could potentially affect the integrity of post data (Wiz Analysis).

Users should upgrade to a version newer than 2.0.0 once available. Until then, site administrators should carefully review and possibly restrict user roles and permissions, particularly for Subscriber-level accounts (Wiz Analysis).