CVE-2025-5288
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-06-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the REST API | Custom API Generator For Cross Platform And Import Export In WP WordPress plugin (versions 1.0.0 to 2.0.3). It is a privilege escalation flaw caused by a missing capability check in the process_handler() function. This allows unauthenticated attackers to send a specially crafted POST request to an import_api URL with JSON data that can create a new user account with full Administrator privileges.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain full Administrator access to a WordPress site using the affected plugin. This means they can control the entire site, modify content, install malicious code, steal data, or disrupt site operations, leading to severe security and operational impacts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the REST API | Custom API Generator For Cross Platform And Import Export In WP plugin to version 2.0.5 or later, as the plugin has been temporarily closed pending a full review. Additionally, restrict or monitor POST requests to the import_api endpoint to prevent unauthorized user creation until a patch is applied. [1]