CVE-2025-14364
Unknown Unknown - Not Provided
Privilege Escalation in Demo Importer Plus Plugin via Missing Capability Check

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Wordfence

Description
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14364
EUVD
EUVD-2025-204251
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress demo_importer_plus 2.0.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediately update the Demo Importer Plus plugin to version 2.0.9 or later, which includes enhanced permission checks on all AJAX actions to prevent unauthorized access. This update enforces capability checks such as requiring 'manage_options' and 'import' capabilities before allowing sensitive operations like site reset or demo import. Until the update is applied, restrict access to users with Subscriber-level permissions or higher and monitor for suspicious AJAX requests related to the plugin. [1]

Executive Summary

The vulnerability in the Demo Importer Plus WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass capability checks in the Ajax::handle_request() function. This lets them trigger a full site reset that drops all database tables except users and usermeta, and re-runs the WordPress installation process, which assigns the Administrator role to the attacking user. Essentially, it enables unauthorized modification of data, loss of data, and privilege escalation. [1]

Impact Analysis

This vulnerability can have severe impacts including complete loss of site data (except user data), unauthorized privilege escalation where an attacker can gain Administrator access, and unauthorized modification of site data. An attacker with minimal privileges can effectively take over the entire WordPress site and reset it, causing significant disruption and potential data loss. [1]

Detection Guidance

You can detect attempts to exploit this vulnerability by monitoring AJAX requests to the Demo Importer Plus plugin's AJAX handler, specifically looking for unauthorized requests to actions like 'do-reinstall' which triggers a full site reset. Checking server logs or using tools like curl or wget to simulate requests can help verify if capability checks are enforced. For example, you can run a command to attempt the 'do-reinstall' action without proper permissions and observe if a 403 error is returned: curl -X POST -d 'action=do-reinstall' https://yourwordpresssite.com/wp-admin/admin-ajax.php -b 'cookie_for_subscriber_user'. If the response is a 403 error with a permission message, the site is patched; otherwise, it may be vulnerable. [1]

Compliance Impact

The provided resources do not contain information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14364. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart