CVE-2025-4672 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function…
High CVSS: 8.8

CVE-2025-4672

The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to read, create, update or delete any user meta, including flipping their own wp_capabilities to administrator and fully escalate their privileges.
Vendor
-
Product
-
CWE
CWE-285
Yayın Tarihi
2025-05-31 07:15:21
Güncelleme
2025-06-02 17:32:17
Source Identifier
security@wordfence.com
KEV Date Added
-

Kategoriler

CWE-285 HIGH 2025

Referanslar

https://plugins.trac.wordpress.org/browser/offsprout-page-builder/tags/2.15.2/api/class-offsprout-api-extensions.php#L5 https://plugins.trac.wordpress.org/browser/offsprout-page-builder/tags/2.15.2/api/class-offsprout-api-extensions.php#L514 https://wordpress.org/plugins/offsprout-page-builder/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/9269d18d-8d83-43ff-b777-ba8f58321e9e?source=cve