CVE-2025-60094: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-60094) was discovered in Benjamin Intal Stackable plugin affecting versions through 3.18.1. The vulnerability was reported on August 5, 2025, and publicly disclosed on September 26, 2025. This security issue involves broken access control that could allow exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-862 (Missing Authorization) and requires contributor-level privileges to exploit. The vulnerability stems from a broken access control issue where authorization, authentication, or nonce token checks are missing in certain functions, potentially allowing unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has been assessed as having a low severity impact. If exploited, it could allow unprivileged users to perform actions intended for users with higher privileges. However, the specific impact is considered unlikely to be severely exploited (Patchstack).

The vulnerability has been fixed in version 3.19.0 of the Stackable plugin. Users are advised to update to version 3.19.0 or later to remove the vulnerability. The fix was released shortly after the public disclosure (Patchstack).