Privilege Escalation in Offsprout Page Builder for WordPress
CVE-2025-4672

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
31 May 2025

What is CVE-2025-4672?

The Offsprout Page Builder plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level access or above to exploit improper authorization in the permission_callback() function. This flaw permits these users to read, create, update, or delete any user meta, including potentially granting themselves administrator privileges. It affects versions 2.2.1 through 2.15.2, highlighting the importance of securing user permissions within WordPress plugins to prevent unauthorized access and manipulation.

Affected Version(s)

Offsprout Page Builder 2.2.1 <= 2.15.2

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kenneth Dunn
.
CVE-2025-4672 : Privilege Escalation in Offsprout Page Builder for WordPress