CVE-2025-60148: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the WordPress Subscribe to Download plugin affecting versions through 2.0.9. The vulnerability was reported by João Pedro S Alcântara on June 5, 2025, and was publicly disclosed on September 26, 2025. The issue has been assigned CVE-2025-60148 and received a CVSS v3.1 score of 4.3 (Medium) (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue that allows exploiting incorrectly configured access control security levels. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, and low privileges to exploit. No user interaction is required for exploitation (NVD, Patchstack).

The vulnerability has been assessed with a low severity impact. It involves a broken access control issue that could potentially allow an unprivileged user to execute certain higher privileged actions. The impact is primarily focused on integrity with no direct effect on confidentiality or availability (Patchstack).

As of September 29, 2025, no official fix has been released for this vulnerability. The issue remains unpatched, though Patchstack has indicated that a virtual patch is unnecessary due to the low severity of the vulnerability (Patchstack).