CVE-2025-10299
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10299
EUVD
EUVD-2025-34558
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hakik_zaman wpbifrost 1.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WPBifröst – Instant Passwordless Temporary Login Links WordPress plugin, where a missing capability check on the ctl_create_link AJAX action allows authenticated users with Subscriber-level access or higher to escalate their privileges. Specifically, they can create new administrative user accounts and log in as those administrators, bypassing normal security controls. [1]

Impact Analysis

The vulnerability can have a severe impact by allowing low-privileged authenticated users to gain administrative access to the WordPress site. This can lead to full site compromise, including unauthorized changes, data theft, or disruption of services.

Mitigation Strategies

Immediately disable or remove the WPBifröst – Instant Passwordless Temporary Login Links plugin from your WordPress installation, as it has been temporarily closed and removed from download pending a full security review. Avoid using versions up to and including 1.0.7 until a secure update is released. Additionally, review your WordPress user accounts for any unauthorized administrative users created via this vulnerability and remove them. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart