Description
Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu mobile-bottom-menu-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mobile Bottom Menu: from n/a through <= 1.4.0.
Published: 2025-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing Authorization vulnerability in the WP Messiah WP Mobile Bottom Menu plugin allows attackers to bypass intended access controls and modify or delete plugin settings. The flaw enables an attacker to perform actions that should be restricted to privileged users, potentially compromising the configuration and behavior of the website. This type of weakness is identified as CWE-862, which indicates a failure of authority checks.

Affected Systems

The vulnerability affects WordPress sites running the WP Mobile Bottom Menu plugin provided by WP Messiah. Versions from the initial release up to and including 1.4.0 are impacted. The issue is documented as affecting all releases identified by the plugin version range n/a through <= 1.4.0.

Risk and Exploitability

The vulnerability is scored with a CVSS of 4.3, indicating a moderate impact if exploited. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to involve web-based interaction with the plugin's administrative interface, likely requiring an authenticated WordPress user with limited privileges to elevate privileges. This inference is drawn from the description of the broken access control flaw.

Generated by OpenCVE AI on May 1, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Mobile Bottom Menu plugin to a version newer than 1.4.0 once an official patch is available.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the attack surface.
  • Review and tighten WordPress role and capability assignments, ensuring only trusted administrators can access plugin configuration pages, and audit any residual access controls.

Generated by OpenCVE AI on May 1, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9456 Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Mobile Bottom Menu: from n/a through 1.2.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Mobile Bottom Menu: from n/a through 1.2.9. Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu mobile-bottom-menu-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mobile Bottom Menu: from n/a through <= 1.4.0.
Title WordPress WP Mobile Bottom Menu plugin <= 1.2.9 - Broken Access Control vulnerability WordPress WP Mobile Bottom Menu plugin <= 1.4.0 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 02 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Mobile Bottom Menu: from n/a through 1.2.9.
Title WordPress WP Mobile Bottom Menu plugin <= 1.2.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:00:59.480Z

Reserved: 2025-03-31T10:05:11.644Z

Link: CVE-2025-31525

cve-icon Vulnrichment

Updated: 2025-04-02T13:41:43.798Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:48.723

Modified: 2026-04-23T15:27:53.997

Link: CVE-2025-31525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses