CVE-2025-60128: 
WordPress vulnerability analysis and mitigation

The CVE-2025-60128 is a Missing Authorization vulnerability affecting the WordPress Delisho plugin versions through 1.1.3. The vulnerability was discovered by Denver Jackson and was publicly disclosed on September 26, 2025. This security issue allows exploiting incorrectly configured access control security levels in the WP Delicious Delisho plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 score of 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. The vulnerability is categorized under CWE-862 (Missing Authorization) (Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. It could potentially allow contributor-level users to perform unauthorized actions due to the broken access control implementation (Patchstack).

The vulnerability has been fixed in version 1.1.4 of the Delisho plugin. Users are advised to update to version 1.1.4 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).