CVE-2025-6388

Critical CVSS: 9.8

The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username.

Vendor

Product

CWE

CWE-288

Yayın Tarihi

2025-10-03 09:15:38

Güncelleme

2025-10-06 14:57:05

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-288 CRITICAL 2025

Referanslar

https://themespirit.com/talemy-changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/a4cbc0e7-4328-451f-a595-1ce17e9d0031?source=cve