Attack Vectors

CVE-2025-68020 affects the WANotifier / Notifications for Forms & WordPress Actions plugin (slug: notifier) in versions up to and including 2.7.13. The issue is a missing authorization (capability) check, which means an attacker does not need an account to trigger at least one plugin function that should have been restricted.

Because the vulnerability is network-exploitable and requires no authentication and no user interaction (CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), the practical risk is exposure to opportunistic scanning and automated attempts against websites running affected versions.

Security Weakness

The root cause is a missing capability check on a plugin function. In business terms, the plugin does not consistently verify “is this request coming from an authorized WordPress role?” before allowing a sensitive action to proceed.

This is categorized as a Medium severity issue (CVSS 5.3) because it is not described as enabling data theft or site-wide takeover on its own; however, it does allow unauthorized actions—which can still create meaningful operational, compliance, and brand risks depending on what the affected function controls in your deployment.

Technical or Business Impacts

The immediate concern is that an unauthenticated party may be able to perform an action in WANotifier that your organization intended to restrict to administrators or trusted staff. Even when the impact is “Integrity: Low,” unauthorized actions can translate into real-world business outcomes such as unwanted changes to notification workflows, disruption to lead handling, or unexpected behavior in form-to-message automation.

For marketing and revenue teams, the risk can include lost or misrouted leads, altered notification routing, or inconsistent campaign attribution if form-triggered actions are manipulated. For executives and compliance stakeholders, the key risk is process integrity: when unauthenticated actions are possible, it becomes harder to prove controls are working as intended, and incident response becomes more costly.

Recommended action: Update Notifications for Forms & WordPress Actions (WANotifier) to version 3.0.0 or newer to apply the vendor’s fix. Track this vulnerability as CVE-2025-68020. Reference: Wordfence vulnerability record.

Similar Attacks

Missing-authorization flaws are a recurring theme in WordPress security because they can allow actions without the right permissions. For context, here are a few well-documented examples where authorization gaps played a central role:

Elementor Pro (2020) – Privilege/authorization issue enabling unauthorized actions
InfiniteWP Client (2021) – Authentication/authorization weaknesses leading to unauthorized access
Yoast SEO (2022) – Unauthorized actions due to access control gaps