What is the CVSS score of EUVD-2025-16984?

EUVD-2025-16984 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 13.8%.

Which versions of WordPress are affected by EUVD-2025-16984?

The HyperComments WordPress plugin contains a critical vulnerability allowing unauthenticated attackers to gain administrative access to affected websites without a patch currently available.

Is there a public PoC exploit available for EUVD-2025-16984?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16984. Prioritise patching immediately. EPSS: 13.8%.

How to fix or mitigate EUVD-2025-16984?

Within 24 hours: Audit all WordPress installations for HyperComments plugin presence and version; disable the plugin immediately on all affected sites. Within 7 days: Deactivate and remove the plugin entirely; review user access logs for suspicious administrative account creation; reset admin credentials and enforce MFA on all administrator accounts. Within 30 days: Identify alternative commenting solutions; establish vendor patch monitoring process; conduct security assessment of affected systems for compromise indicators.

WordPress EUVD-2025-16984

| CVE-2025-5701 HIGH

Missing Authorization (CWE-862)

2025-06-05 security@wordfence.com

WordPress Privilege Escalation Authentication Bypass

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:53 euvd

EUVD-2025-16984

Analysis Generated

Mar 14, 2026 - 17:53 vuln.today

CVE Published

Jun 05, 2025 - 12:15 nvd

HIGH 8.8

DescriptionCVE.org

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

AnalysisAI

The HyperComments WordPress plugin versions up to 1.2.2 contain a critical missing capability check vulnerability in the hc_request_handler function that allows unauthenticated remote attackers to modify arbitrary WordPress options without authentication. This can be directly exploited to escalate privileges by changing the default registration role to administrator and enabling user registration, granting attackers immediate administrative access to vulnerable sites. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this vulnerability poses an extreme risk to any unpatched WordPress installation using the affected plugin.

Technical ContextAI

The vulnerability exists in the HyperComments plugin for WordPress, a third-party plugin that extends WordPress comment functionality. The root cause is CWE-862 (Missing Authorization / Capability Check), where the hc_request_handler AJAX action handler fails to verify that the requesting user possesses the required WordPress capability (typically 'manage_options') before processing requests to modify site options. WordPress uses a role-based access control system where 'manage_options' capability is typically restricted to administrators. By exploiting the missing capability check on this publicly-accessible AJAX endpoint, unauthenticated attackers can invoke the handler without authentication and directly call update_option() functions to modify critical WordPress configuration. The attack leverages WordPress's standard option update mechanisms against the plugin's insufficient input validation and authorization controls.

RemediationAI

Immediate remediation steps: (1) Update the HyperComments plugin to version 1.2.3 or later (if available) or the latest stable release from the official WordPress.org plugin repository, as the vendor should have released a patch adding proper capability checks; (2) If no patch is available or delay is expected, immediately deactivate and remove the HyperComments plugin; (3) Review WordPress site options, particularly the default user role (option_name: 'default_role') and user registration settings (option_name: 'users_can_register') for unauthorized modifications; (4) Audit administrator user accounts for unauthorized additions created post-exploitation; (5) Implement WordPress security hardening: enable two-factor authentication for all admin accounts, restrict AJAX endpoints via security plugins, and implement capability-based access controls. Recommended workaround during patch delay: disable user registration on Settings > General and restrict AJAX handler access via .htaccess or firewall rules blocking requests to wp-admin/admin-ajax.php?action=hc_request_handler. Monitor plugin repository for official patch notification and release notes detailing the authorization fix.

More from same product – last 7 days

CVE-2026-8935 CRITICAL Act Now POC

9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL Act Now

10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

EUVD-2025-16984 vulnerability details – vuln.today

Back

WordPress EUVD-2025-16984

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code