Privilege Escalation Vulnerability in REST API Custom API Generator for WordPress
CVE-2025-5288

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Rest Api | Custom Api Generator For Cross Platform And Import Export In WP
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-5288?

The REST API | Custom API Generator for WordPress is exposed due to a missing capability check in the process_handler() function. This vulnerability allows unauthenticated users to exploit the system by sending a POST request with a crafted import_api URL. As a result, attackers can import malicious JSON data that enables them to create new users with full Administrator privileges, thereby compromising the integrity and security of the affected WordPress installations.

Affected Version(s)

REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/import-export-...

https://wordpress.org/plugins/import-export-with-custom-r...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
May 27, 2025

Credit

Kenneth Dunn