Broken Access Control vulnerability | WordPress.org

Resolved Ken Gagne
(@kgagne)

3 months, 4 weeks ago

Patchstack recently reported a low-priority/low-severity security vulnerability with WordPress Google XML Sitemaps plugin <= 4.1.21. Details here:

https://patchstack.com/database/wordpress/plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability

https://www.cve.org/CVERecord?id=CVE-2025-64632

Though a minor issue, will a fix be made available?

Viewing 5 replies - 1 through 5 (of 5 total)

Tobias Sörensson
(@weconnecttobias)

3 months, 3 weeks ago

i have posted https://wordpress.org/support/topic/security-risk-34/#post-18764281 a patch for this issue hope it helps. on my server it works.

seaghanmoriarty
(@seaghanmoriarty)

3 months, 3 weeks ago

Thank you Tobias!!

Plugin Author Frederick Townes
(@fredericktownes)

3 months, 3 weeks ago

Thank you @weconnecttobias and all who have alerted us!

An updated version has been released to resolve the security issue, and an upgrade notice has been added as well.

leedxw
(@leedxw)

3 months, 1 week ago

As of 2026-01-02 Patchstack claims 4.1.22 is still vulnerable.

“WordPress Google XML Sitemaps Plugin <= 4.1.22 is vulnerable to Broken Access Control”

https://patchstack.com/database/wordpress/plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability

Plugin Author Frederick Townes
(@fredericktownes)

3 months, 1 week ago

They haven’t yet reviewed our submitted patch. Like any project, their review is not required for us to know that the vulnerability is addressed.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

7 replies
5 participants
Last reply from: Frederick Townes
Last activity: 3 months, 1 week ago
Status: resolved