CVE-2025-14364
Privilege Escalation in Demo Importer Plus Plugin via Missing Capability Check
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | demo_importer_plus | 2.0.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediately update the Demo Importer Plus plugin to version 2.0.9 or later, which includes enhanced permission checks on all AJAX actions to prevent unauthorized access. This update enforces capability checks such as requiring 'manage_options' and 'import' capabilities before allowing sensitive operations like site reset or demo import. Until the update is applied, restrict access to users with Subscriber-level permissions or higher and monitor for suspicious AJAX requests related to the plugin. [1]
Can you explain this vulnerability to me?
The vulnerability in the Demo Importer Plus WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass capability checks in the Ajax::handle_request() function. This lets them trigger a full site reset that drops all database tables except users and usermeta, and re-runs the WordPress installation process, which assigns the Administrator role to the attacking user. Essentially, it enables unauthorized modification of data, loss of data, and privilege escalation. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete loss of site data (except user data), unauthorized privilege escalation where an attacker can gain Administrator access, and unauthorized modification of site data. An attacker with minimal privileges can effectively take over the entire WordPress site and reset it, causing significant disruption and potential data loss. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect attempts to exploit this vulnerability by monitoring AJAX requests to the Demo Importer Plus plugin's AJAX handler, specifically looking for unauthorized requests to actions like 'do-reinstall' which triggers a full site reset. Checking server logs or using tools like curl or wget to simulate requests can help verify if capability checks are enforced. For example, you can run a command to attempt the 'do-reinstall' action without proper permissions and observe if a 403 error is returned: curl -X POST -d 'action=do-reinstall' https://yourwordpresssite.com/wp-admin/admin-ajax.php -b 'cookie_for_subscriber_user'. If the response is a 403 error with a permission message, the site is patched; otherwise, it may be vulnerable. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.