Home

Description

The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password.

PUBLISHED Reserved 2025-10-16 | Published 2025-11-11 | Updated 2025-11-13 | Assigner WPScan

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
affected

Any version
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/ exploit vdb-entry technical-description

cve.org (CVE-2025-11855)

nvd.nist.gov (CVE-2025-11855)

Download JSON