CVE-2025-6441
BaseFortify
Publication date: 2025-07-24
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webinarignition | webinar_ignition | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WebinarIgnition WordPress plugin up to version 4.03.31. It allows unauthenticated attackers to generate login tokens for arbitrary WordPress users because the functions `webinarignition_sign_in_support_staff` and `webinarignition_register_support` lack proper capability checks. This means attackers can obtain authorization cookies and bypass authentication without needing valid credentials.
How can this vulnerability impact me? :
The vulnerability can lead to authentication bypass, allowing attackers to impersonate arbitrary WordPress users. This can result in unauthorized access to sensitive information, modification of website content, or administrative control depending on the compromised user accounts. The CVSS score of 9.8 indicates a critical impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WebinarIgnition WordPress plugin to a version later than 4.03.31 where the missing capability checks on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions have been fixed. Additionally, restrict access to the plugin files and monitor for unauthorized login token generation attempts. Consider disabling or removing the plugin if an update is not available.