Description
Missing Authorization vulnerability in Surfer Surfer surferseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through <= 1.6.4.574.
Published: 2025-09-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported vulnerability in the Surfer plugin is a missing authorization flaw that allows an attacker to bypass the plugin’s access control mechanisms. An attacker who can reach the vulnerable plugin components could potentially perform actions or retrieve data that the user would normally be prohibited from accessing. The weakness is classified as CWE‑862, indicating a flaw in access control that may enable privilege escalation or unauthorized data exposure. The impact may range from viewing restricted content to modifying plugin settings, potentially affecting the confidentiality and integrity of the WordPress site.

Affected Systems

The flaw exists in the Surfer Surferseo WordPress plugin provided by the vendor Surfer, distributed through WordPress up to and including version 1.6.4.574. Any WordPress installation that has this plugin installed in that version range is affected.

Risk and Exploitability

The CVSS score of 5.3 suggests a moderate risk profile. EPSS indicates a very low exploitation likelihood (under 1% at the time of this analysis), and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker would need to identify a reachable instance of the plugin and exploit the missing authorization controls, likely via the web interface or REST endpoints exposed by the plugin. Since no exploit was publicly demonstrated, theoretical exploitation remains the primary threat.

Generated by OpenCVE AI on April 30, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Surfer plugin to a version newer than 1.6.4.574 or a version where the access control issue is fixed
  • Restrict the WordPress installation to only authorized roles and verify the plugin’s permission settings after the upgrade
  • Continuously monitor audit logs for unusual access patterns to plugin resources

Generated by OpenCVE AI on April 30, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26563 Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Surfer: from n/a through 1.6.4.574.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Surfer: from n/a through 1.6.4.574. Missing Authorization vulnerability in Surfer Surfer surferseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through <= 1.6.4.574.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Surfer
Surfer surfer Plugin
Wordpress
Wordpress wordpress
Vendors & Products Surfer
Surfer surfer Plugin
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Surfer: from n/a through 1.6.4.574.
Title WordPress Surfer Plugin <= 1.6.4.574 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Surfer Surfer Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:38:49.549Z

Reserved: 2025-09-03T09:02:38.119Z

Link: CVE-2025-58603

cve-icon Vulnrichment

Updated: 2025-09-03T17:38:31.025Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:41.620

Modified: 2026-04-23T15:33:26.620

Link: CVE-2025-58603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:30:16Z

Weaknesses