Privilege Escalation Vulnerability in REST API Custom API Generator for WordPress
CVE-2025-5288

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Rest Api | Custom Api Generator For Cross Platform And Import Export In WP
Vendor
CVE Published:
13 June 2025

What is CVE-2025-5288?

The REST API | Custom API Generator for WordPress is exposed due to a missing capability check in the process_handler() function. This vulnerability allows unauthenticated users to exploit the system by sending a POST request with a crafted import_api URL. As a result, attackers can import malicious JSON data that enables them to create new users with full Administrator privileges, thereby compromising the integrity and security of the affected WordPress installations.

Affected Version(s)

REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/import-export-...
https://wordpress.org/plugins/import-export-with-custom-r...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kenneth Dunn
JSON
.