CVE-2025-68048 HIGH

CVE-2025-68048: WordPress NextMove Lite plugin <= 2.23.0 - Broken Access Control vulnerability

Vendor Xlplugins

Product NextMove Lite

Weakness CWE-862 · Missing authorization

Published February 20, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.

Explanation of Vulnerability in Simple Terms

02Summary

NextMove Lite versions up to 2.23.0 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data. An attacker can access the application over the network without credentials or user interaction. The vulnerability exposes confidential information but does not allow modification or disruption of service.

What an attacker can do

03Attacker Capabilities

Read sensitive data without logging in or any user interaction.

Potential impact on your site

04Site Impact

Confidential information accessible to anyone on the internet without a password.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 20, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68048 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities