CVE-2025-14397
Unknown Unknown - Not Provided
Privilege Escalation in Postem Ipsum Plugin via Missing Capability Check

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary user accounts with the administrator role.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress postem_ipsum *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Postem Ipsum plugin for WordPress has a vulnerability due to a missing capability check in the postem_ipsum_generate_users() function. This allows authenticated users with Subscriber-level access or higher to create arbitrary user accounts with administrator privileges, leading to privilege escalation.

Impact Analysis

This vulnerability can allow an attacker with low-level access (Subscriber) to escalate their privileges by creating administrator accounts. This can lead to full control over the WordPress site, including data modification, site configuration changes, and potentially complete site takeover.

Compliance Impact

This vulnerability allows authenticated attackers with Subscriber-level access to escalate privileges and create arbitrary administrator accounts. Such unauthorized privilege escalation can lead to unauthorized access and modification of sensitive data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information. [2]

Detection Guidance

This vulnerability can be detected by checking if the Postem Ipsum WordPress plugin is installed and its version is up to and including 3.0.1. Since the vulnerability allows authenticated users with Subscriber-level access or above to create arbitrary administrator accounts, monitoring for unexpected new administrator accounts in WordPress is a key detection method. Additionally, reviewing WordPress user accounts for recently created administrator roles that were not authorized can help detect exploitation. Specific commands are not provided in the resources, but you can use WordPress CLI commands such as `wp user list --role=administrator` to list administrator users and check for suspicious accounts. Network detection might involve monitoring for POST requests to AJAX endpoints related to user generation, such as those handled by `postem_ipsum_generate_users()` function, but no explicit commands are given. [2]

Mitigation Strategies

Immediate mitigation steps include updating the Postem Ipsum plugin to a version later than 3.0.1 where the vulnerability is fixed. If an update is not immediately available, restrict access to the plugin's administrative AJAX endpoints by limiting user roles that can access them, as the vulnerability arises from missing capability checks allowing Subscriber-level users to create admin accounts. Monitoring and removing any unauthorized administrator accounts is also recommended. Additionally, reviewing and tightening WordPress user role permissions and applying standard WordPress security best practices can help mitigate exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart