Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.
AnalysisAI
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
Technical ContextAI
The vulnerability exists in a WordPress REST API plugin that generates custom API endpoints for data import/export functionality. The root cause is CWE-862 (Missing Authorization/Capability Check), where the process_handler() function fails to validate WordPress capabilities (wp_verify_nonce, current_user_can) before processing POST requests to the import_api endpoint. The plugin accepts arbitrary URLs via the import_api parameter and processes JSON payloads without authentication, directly instantiating user objects with administrator role assignment. This bypasses WordPress's standard privilege escalation protections, which rely on authenticated sessions and role-based access control (RBAC). The affected component is the custom REST endpoint handler, likely registered via add_rest_route() without proper permission callbacks.
RemediationAI
IMMEDIATE ACTIONS: (1) Update plugin to version 2.0.4 or later if available (patch release containing authorization checks on process_handler()); (2) If patch unavailable, disable/deactivate the plugin immediately and remove from wp-content/plugins/; (3) Conduct emergency audit of WordPress user accounts created after plugin installation—check wp_users table for suspicious admin accounts created via REST API. MITIGATION (if patch delay): Restrict access to wp-json endpoints via .htaccess (deny all wp-json/* POST requests from non-authenticated IPs), or use WordPress security plugins to block unauthenticated REST API POST requests. DETECTION: Search wp-admin audit logs and wp_users table for accounts created via REST API endpoint with empty referrer. CHECK VENDOR ADVISORY: Review WordPress.org plugin repository page for CVE-2025-5288 patch notes and changelog for confirmed patch version.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18240