CVE-2025-5288
REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.
Reserved 2025-05-27 | Published 2025-06-13 | Updated 2025-06-13 | Assigner Wordfence| 2025-06-12: | Disclosed |
Kenneth Dunn
www.wordfence.com/...-f028-436c-a8af-3c17378b9743?source=cve
plugins.trac.wordpress.org/.../wot-rapi-import-functions.php
wordpress.org/plugins/import-export-with-custom-rest-api/
Support options
