CVE-2025-6380
BaseFortify
Publication date: 2025-07-24
Last updated on: 2025-07-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| onlyoffice | docs | 2.2.0 |
| php | php | 7.4 |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the ONLYOFFICE Docs WordPress plugin is a Privilege Escalation issue caused by missing authorization checks in its oo.callback REST endpoint. Specifically, the plugin only verifies that the encrypted attachment ID corresponds to an existing attachment post but does not verify the identity or permissions of the requester. This flaw allows unauthenticated attackers to log in as any arbitrary user.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to escalate privileges and log in as any user without authorization. This can lead to unauthorized access to sensitive information, modification or deletion of data, and potentially full control over the affected WordPress site, compromising confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the ONLYOFFICE Docs WordPress plugin (versions 1.1.0 to 2.2.0) until a secure update is released, as the plugin was closed and made unavailable for download as of July 22, 2025. Additionally, ensure your WordPress installation and plugins are kept up to date and monitor official sources for a patched version before re-enabling the plugin. [1]