CVE-2025-5835
BaseFortify
Publication date: 2025-07-25
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | droip | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Droip plugin for WordPress is due to a missing capability check in the droip_post_apis() function. This allows authenticated users with Subscriber-level access or higher to perform unauthorized actions via AJAX hooks, such as deleting, creating, duplicating posts, updating settings, and manipulating users.
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including arbitrary deletion and creation of posts, duplication of content, unauthorized updates to plugin settings, and manipulation of user accounts. These actions can compromise the integrity, availability, and confidentiality of the WordPress site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Droip plugin to a version later than 2.2.0 where the issue is fixed. If an update is not available, restrict access to the plugin's AJAX endpoints to trusted users only and review user roles to limit Subscriber-level access. Additionally, monitor and audit actions related to post creation, deletion, duplication, settings updates, and user manipulation to detect any unauthorized activity.