CVE-2025-5288

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/import-export-with-custom-rest-api/tags/2.0.3/backend/methods/wot-rapi-import-functions.php#L123
https://wordpress.org/plugins/import-export-with-custom-rest-api/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2774fc-f028-436c-a8af-3c17378b9743?source=cve

Configurations

No configuration.

History

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) El complemento REST API \| Custom API Generator For Cross Platform And Import Export In WP para WordPress es vulnerable a la escalada de privilegios debido a la falta de una comprobación de capacidad en la función process_handler() en las versiones 1.0.0 a 2.0.3. Esto permite a atacantes no autenticados publicar una URL import_api arbitraria, importar JSON especialmente manipulado y, por lo tanto, crear un nuevo usuario con privilegios de administrador.

13 Jun 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-13 03:15

Updated : 2025-06-16 12:32

NVD link : CVE-2025-5288

Mitre link : CVE-2025-5288

CVE.ORG link : CVE-2025-5288

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

9.8 /10