A security researcher has published proof-of-concept code for a critical authentication bypass vulnerability in the Atarim WordPress plugin that could allow attackers to steal sensitive user data and system configuration details.
The flaw, tracked as CVE-2025-60188, affects versions of the plugin that use insecure HMAC-based authentication.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-60188 |
| GHSA ID | GHSA-648j-fchv-3hrv |
| Vulnerability Type | Authentication Bypass via HMAC Forgery |
Vulnerability Details
The vulnerability stems from a fundamental design weakness in how the Atarim plugin validates administrative requests.
The plugin uses HMAC-SHA256 signatures to protect sensitive AJAX endpoints. However, researchers discovered that the secret key used to generate these signatures is easily obtainable by any visitor to the site.
“The application utilizes a predictable or leaked internal ID (site_id) as the secret key for signing requests to administrative AJAX actions,” explained the researcher m4sh-wacker, who developed the exploit.
This site identifier is exposed through a public REST API endpoint, making it trivial for attackers to retrieve the supposedly secret value.
Once attackers obtain the site_id, they can locally compute valid request signatures and access protected administrative functions.
The exploit targets endpoints that explicitly expose user personally identifiable information (PII), including names, email addresses, and user roles, as well as system settings that may contain license keys.
The attack requires no user interaction and can be executed by any unauthenticated visitor.
The publicly available Python exploit demonstrates how attackers can forge signatures and extract sensitive data in seconds, making this vulnerability particularly dangerous for affected websites.
Website administrators should immediately update the Atarim plugin to the latest patched version.
Developers behind the plugin are advised to implement proper security measures, including high-entropy secrets using WordPress’s wp_salt() function and constant-time comparison for signature validation to prevent timing attacks.
Security teams should audit their WordPress installations for the Atarim plugin and treat this as a high-priority patching event, given the availability of working exploit code and the ease of exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.