EUVD-2025-18240CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.
Analysis
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
Technical Context
The vulnerability exists in a WordPress REST API plugin that generates custom API endpoints for data import/export functionality. The root cause is CWE-862 (Missing Authorization/Capability Check), where the process_handler() function fails to validate WordPress capabilities (wp_verify_nonce, current_user_can) before processing POST requests to the import_api endpoint. The plugin accepts arbitrary URLs via the import_api parameter and processes JSON payloads without authentication, directly instantiating user objects with administrator role assignment. This bypasses WordPress's standard privilege escalation protections, which rely on authenticated sessions and role-based access control (RBAC). The affected component is the custom REST endpoint handler, likely registered via add_rest_route() without proper permission callbacks.
Affected Products
Affected Product: REST API | Custom API Generator For Cross Platform And Import Export (WordPress Plugin). Affected Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.3.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3 (all versions prior to 2.0.4 or later patch). Estimated CPE: cpe:2.4:a:*:rest_api_custom_api_generator_for_cross_platform_and_import_export:*:*:*:*:*:wordpress:*:* (vendor slug to be confirmed from WordPress plugin directory). Configuration Risk: Any WordPress site with this plugin installed and activated on versions up to 2.0.3, regardless of authentication configuration. Unauthenticated remote access to wp-json endpoints means all public-facing WordPress sites are at risk.
Remediation
IMMEDIATE ACTIONS: (1) Update plugin to version 2.0.4 or later if available (patch release containing authorization checks on process_handler()); (2) If patch unavailable, disable/deactivate the plugin immediately and remove from wp-content/plugins/; (3) Conduct emergency audit of WordPress user accounts created after plugin installation—check wp_users table for suspicious admin accounts created via REST API. MITIGATION (if patch delay): Restrict access to wp-json endpoints via .htaccess (deny all wp-json/* POST requests from non-authenticated IPs), or use WordPress security plugins to block unauthenticated REST API POST requests. DETECTION: Search wp-admin audit logs and wp_users table for accounts created via REST API endpoint with empty referrer. CHECK VENDOR ADVISORY: Review WordPress.org plugin repository page for CVE-2025-5288 patch notes and changelog for confirmed patch version.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today