CVE-2025-5060
BaseFortify
Publication date: 2025-08-23
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bravis | wordpress_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Bravis User plugin for WordPress has an authentication bypass vulnerability in all versions up to 1.0.0. This occurs because the plugin does not properly log in a user after their data has been verified through the facebook_ajax_login_callback() function. As a result, an unauthenticated attacker who has an existing account on the site and access to an administrative user's email can log in as that administrative user.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to gain administrative access to a WordPress site by bypassing authentication. This means the attacker can control the site, modify content, access sensitive information, and potentially disrupt or damage the site and its data.