Home

Description

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.

PUBLISHED Reserved 2025-05-27 | Published 2025-06-13 | Updated 2025-06-13 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

1.0.0 (semver)
affected

Timeline

2025-06-12:Disclosed

Credits

Kenneth Dunn finder

References

www.wordfence.com/...-f028-436c-a8af-3c17378b9743?source=cve

plugins.trac.wordpress.org/.../wot-rapi-import-functions.php

wordpress.org/plugins/import-export-with-custom-rest-api/

cve.org (CVE-2025-5288)

nvd.nist.gov (CVE-2025-5288)

Download JSON