Attack Vectors

CVE-2025-60148 affects the Subscribe to Download WordPress plugin (slug: subscribe-to-download) in versions up to and including 2.0.9. The issue is rated Medium severity (CVSS 4.3).

The primary attack path is through a logged-in WordPress account. An attacker with subscriber-level access or higher could trigger the vulnerable function remotely (no user interaction required) to perform an unauthorized action. In practical terms, this raises risk in environments where accounts are easy to obtain (public registrations, marketing campaign signups, partner portals) or where many low-privilege accounts exist.

Security Weakness

The vulnerability is caused by a missing authorization (capability) check in a plugin function. That means the plugin does not consistently verify whether the logged-in user is allowed to perform the requested action, even though they are authenticated.

This type of weakness matters because it can undermine the “least privilege” model many organizations rely on—where subscribers should only have limited access, yet a plugin flaw can accidentally expand their influence within the site.

Reference: CVE-2025-60148 record and the vendor/industry analysis from Wordfence.

Technical or Business Impacts

While the published details describe this as an unauthorized action enabled by missing authorization, the business impact can still be meaningful—especially for marketing-led sites where user registrations are common. Potential outcomes include unapproved changes to site behavior related to the plugin’s features, unexpected workflow disruptions, or policy and compliance concerns if users can access functionality outside their intended role.

From an executive and compliance perspective, the biggest risk is often not a single dramatic breach, but a loss of control over who can do what inside a customer-facing web property—potentially affecting brand trust, campaign integrity, and audit readiness.

Recommended remediation: Update Subscribe to Download to version 2.1.0 or a newer patched version. After updating, review subscriber-level accounts (including any created via marketing forms or integrations) and remove or disable any that are no longer needed.

Similar attacks: Authorization issues (missing or broken access checks) are a common WordPress plugin theme and have been observed across the ecosystem. For context, see examples such as the CVE-2024-27956 WordPress-related incident involving plugin risk exposure, and the widely referenced CVE-2023-40000 record as another example of how authorization and access-control mistakes can translate into real-world impact.