What the vulnerability does
01Description
Missing Authorization vulnerability in ThemeBoy Hide Plugins hide-plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through <= 1.0.4.
CVE-2025-62115
MEDIUM
CVE-2025-62115: WordPress Hide Plugins plugin <= 1.0.4 - Broken Access Control vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Hide Plugins version 1.0.4 and earlier lacks proper authorization checks, allowing authenticated users with low privileges to modify plugin visibility settings they should not have access to. The vulnerability requires a valid user account but no special interaction. Site administrators should update to a version newer than 1.0.4 to prevent unauthorized plugin management.
What an attacker can do
03Attacker Capabilities
Modify plugin visibility settings without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can hide or unhide plugins, potentially disrupting site functionality or exposing hidden features.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
December 31, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-13703 CRM and Lead Management by vcita <= 2.7.5 - Missing Authorization to Authenticated (Susbcriber+) Widget Toggle
CVE-2023-6985 10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Arbitrary Plugin Installation
CVE-2024-43962 WordPress LWS Affiliation plugin <= 2.3.4 - Broken Access Control vulnerability
CVE-2024-32143 WordPress Podlove Podcast Publisher plugin <= 4.1.0 - Broken Access Control vulnerability
CVE-2025-64243 WordPress Directory Pro plugin <= 2.5.6 - Broken Access Control vulnerability
