Data Modification and Escalation Vulnerability in Demo Importer Plus Plugin for WordPress
CVE-2025-14364

8.8HIGH

Key Information:

Vendor: WordPress
Status: Demo Importer Plus
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-14364?

The Demo Importer Plus plugin for WordPress allows authenticated users, including those with Subscriber-level access, to exploit a missing capability check in the Ajax::handle_request() function. This vulnerability enables attackers to perform a complete site reset, resulting in the deletion of all database tables except for those related to users and their metadata. Furthermore, it grants admin-level privileges to the attacking subscriber account due to the automated re-assignment of roles during the exploitation process.

Affected Version(s)

Demo Importer Plus * <= 2.0.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3420645/demo...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Dec 9, 2025

Credit

Angus Girvan

JSON