CVE-2025-60152: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-60152) was discovered in the WordPress Subscribe To Unlock plugin affecting versions through 1.1.5. The vulnerability was discovered by João Pedro S Alcântara (Kinorth) and was publicly disclosed on September 26, 2025. The issue affects the Subscribe To Unlock WordPress plugin and allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from missing authorization, authentication, or nonce token checks in certain functions, potentially allowing unprivileged users to execute higher privileged actions. The vulnerability is categorized under CWE-862 (Missing Authorization) (Patchstack).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. It affects the access control mechanisms of the plugin, potentially allowing subscriber-level users to perform unauthorized actions (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to and including 1.1.5 of the Subscribe To Unlock plugin (Patchstack).

Patchstack issued an early warning to their customers on September 26, 2025, before the public disclosure. The vulnerability was subsequently published by Patchstack on September 28, 2025 (Patchstack).