Description
Missing Authorization vulnerability in Bjoern WP Performance Pack wp-performance-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Performance Pack: from n/a through <= 2.5.3.
Published: 2025-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in WP Performance Pack (Bjoern) versions up to and including 2.5.3 enables an attacker to alter the plugin’s settings or access administrative functions without proper authentication. The weakness corresponds to a broken access control flaw, which can compromise the integrity and privacy of site configuration and potentially expose sensitive data configured by the plugin. The vulnerability is explicit in the CVE description, though specific exploitation steps are not detailed in the available data.

Affected Systems

Artists affected are installations of the WP Performance Pack plugin by Bjoern, running any version from the earliest supported releases through 2.5.3. No later releases are affected. If a site uses any of those versions, it is susceptible to the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% shows a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers likely need web access to the plugin’s administrative interface and may exploit the lack of authorization checks to manipulate settings or view protected information. The risk is thus moderate but should be mitigated promptly.

Generated by OpenCVE AI on May 1, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Performance Pack to the latest version (2.5.4 or later).
  • If an update is not immediately possible, restrict the plugin’s administrative interface to trusted administrators only or disable the plugin until a patch is applied.
  • Audit the site for any unauthorized configuration changes and reset or secure affected settings as a precaution.

Generated by OpenCVE AI on May 1, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7885 Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3. Missing Authorization vulnerability in Bjoern WP Performance Pack wp-performance-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Performance Pack: from n/a through <= 2.5.3.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00048}

 epss

{'score': 0.00067}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3.
Title WordPress WP Performance Pack plugin <= 2.5.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.094Z

Reserved: 2025-03-11T08:10:05.094Z

Link: CVE-2025-28938

cve-icon Vulnrichment

Updated: 2025-03-12T13:43:54.263Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:51.737

Modified: 2026-04-23T15:26:38.433

Link: CVE-2025-28938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses