What is CVE-2025-24691?

A medium-severity Missing Authorization vulnerability in ctltwp People Lists plugin could allow unauthorized access due to misconfigured access controls. Organizations should prioritize remediation to mitigate risks.

What is the severity of CVE-2025-24691?

CVE-2025-24691 has a severity rating of MEDIUM with a CVSS base score of 4.3.

CVE-2025-24691 | Medium Vulnerability in ctltwp People Lists

The vulnerability identified as CVE-2025-24691 involves a Missing Authorization vulnerability in the ctltwp People Lists plugin. This issue allows attackers to exploit incorrectly configured access control security levels, potentially leading to unauthorized access to sensitive information. The severity of this vulnerability is classified as medium, with a CVSS score of 4.3, indicating that while it does not present an immediate critical threat, it can still be exploited with relative ease under certain conditions.

Risk to organizations includes the potential for unauthorized users to gain access to restricted functionalities within the People Lists plugin. Given the nature of this vulnerability, the impact can be significant, especially for organizations that rely heavily on this plugin for managing user data. The vulnerability affects versions up to and including 1.3.10, and organizations using these versions should act promptly.

As of now, there are no known exploits for this vulnerability, and it is not listed in the Known Exploited Vulnerabilities (KEV) catalog. However, the lack of immediate known exploitation does not diminish the importance of addressing this vulnerability. Organizations should prioritize patching immediately to mitigate any risk associated with this issue.

The exploitation status of this vulnerability is classified as deferred, which means that while it may not be actively exploited at present, it has the potential for future exploitation. Organizations should remain vigilant and incorporate this vulnerability into their risk management processes.

Given the potential impacts and the current status, it is recommended that organizations using the affected plugin take immediate steps to remediate this vulnerability.

Vulnerability Details

The vulnerability allows unauthorized access due to misconfigured access control security levels in the ctltwp People Lists plugin, which impacts versions from n/a through <= 1.3.10. The vulnerability has a CVSS score of 4.3, indicating medium severity. It was published on January 24, 2025, and is classified under CWE-862.

Technical Analysis

The root cause of this vulnerability stems from a lack of proper authorization checks in the People Lists plugin. Attackers may exploit this vulnerability remotely (attack vector: network) with low attack complexity, requiring only low privileges to execute. Importantly, user interaction is not required to exploit this vulnerability. The impacts on confidentiality are negligible, but there is a low integrity impact, as unauthorized alterations could be made to data.

Risk & Impact Analysis

Real-world deployment of this vulnerability poses a considerable risk. Organizations utilizing the affected version of the People Lists plugin may find themselves exposed to unauthorized access, potentially leading to data breaches or unauthorized modifications. The urgency of addressing this vulnerability is medium, as the CVSS score indicates a moderate risk level.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

This vulnerability affects all versions of the ctltwp People Lists plugin from n/a through 1.3.10. Organizations should ensure they are using a patched version to mitigate any risks associated with this vulnerability.

Mitigation & Remediation

Organizations should prioritize updating to the latest version of the ctltwp People Lists plugin to address this vulnerability. In case a patch is not available, implement access controls at the application level to restrict unauthorized access, and regularly review configurations to ensure they comply with security best practices. For further assistance, consider engaging in penetration testing and security assessments.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unauthorized access attempts and unusual behavior related to the People Lists plugin. Behavioral anomalies and discrepancies in user access patterns may indicate attempts to exploit this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-24691 lies in its representation of common misconfigurations in access controls that can lead to severe vulnerabilities. Security teams should learn from this incident to strengthen their access control mechanisms and ensure thorough testing of security configurations. For additional insights and best practices, refer to our vulnerability management program and consider implementing a penetration testing methodology to proactively identify and mitigate similar risks in the future.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-24691: Medium Vulnerability in ctltwp People Lists