Privilege Escalation Vulnerability in CubeWP - All-in-One Dynamic Content Framework Plugin for WordPress
CVE-2025-4315

8.8HIGH

Key Information:

Vendor: WordPress
Status: CubeWP – All-in-one Dynamic Content Framework
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-4315?

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access and above to exploit the update_user_meta() function. This flaw enables these users to modify arbitrary user metadata, ultimately allowing them to elevate their privileges to that of an administrator. As such, users at lower access levels can gain unauthorized control over the site by manipulating user permissions, compromising the security of the entire WordPress environment.

Affected Version(s)

CubeWP – All-in-One Dynamic Content Framework * <= 1.1.23

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cubewp-framewo...

https://plugins.trac.wordpress.org/changeset/3306925/cube...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
May 5, 2025

Credit

Friderika Baranyai