What is the CVSS score of CVE-2025-15445?

CVE-2025-15445 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2025-15445?

CVE-2025-15445 presents moderate security risk, a missing authorization vulnerability rated CVSS 5.4. Attackers could gain access beyond their authorized level.

Is there a public PoC exploit available for CVE-2025-15445?

Yes, a public proof-of-concept exploit is available for CVE-2025-15445. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-15445?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

PHP CVE-2025-15445

EUVD-2025-209110 MEDIUM

Missing Authorization (CWE-862)

2026-03-28 WPScan

GHSA-v474-g846-5m4r

WordPress PHP RCE Authentication Bypass

5.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 28, 2026 - 06:15 euvd

EUVD-2025-209110

Analysis Generated

Mar 28, 2026 - 06:15 vuln.today

CVE Published

Mar 28, 2026 - 06:00 nvd

MEDIUM 5.4

DescriptionCVE.org

The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.

AnalysisAI

Restaurant Cafeteria WordPress theme through version 0.4.6 allows authenticated subscribers to execute arbitrary PHP code and modify site configuration through unprotected admin-ajax actions lacking nonce and capability checks. An attacker with subscriber-level access can install malicious plugins from attacker-controlled URLs or import demo content that overwrites critical site settings, pages, menus, and theme configuration. Publicly available exploit code exists for this vulnerability.

Technical ContextAI

The Restaurant Cafeteria WordPress theme implements AJAX endpoints that process administrative operations without implementing WordPress security mechanisms-specifically missing nonce verification (wp_verify_nonce) and capability checks (current_user_can). This allows privilege escalation from the lowest authenticated role (subscriber) to perform actions normally restricted to administrators. The vulnerability chain enables two attack paths: direct plugin installation via admin-ajax handlers that accept user-supplied plugin URLs without validation, and mass-assignment style attacks through demo content import functions that modify core WordPress options (site title, pages, menus, front page settings) and theme-specific modifications stored in wp_options. The affected component is the theme's admin-ajax.php handler implementation, which fails to enforce both authentication context validation and authorization context validation as required by WordPress security best practices.

RemediationAI

Update the Restaurant Cafeteria WordPress theme to a version newer than 0.4.6 immediately. No specific patched version number is confirmed in the provided advisory data; consult the official theme repository or vendor changelog at https://wpscan.com/vulnerability/f3f4a734-5828-4e3f-a170-28189aeda929/ for the exact minimum safe version. As a temporary workaround pending update, restrict subscriber role permissions through WordPress role management or a security plugin that blocks unauthorized admin-ajax actions; however, this does not address the underlying code defect and should not be relied upon as a permanent solution. WordPress administrators should audit user accounts to identify and remove any suspicious plugins or imported demo content that may have been deployed via this attack vector.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-15445 vulnerability details – vuln.today

Back

PHP CVE-2025-15445

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code