Privilege Escalation in Lisfinity Core Plugin for WordPress from Lisfinity
CVE-2025-6042

7.3HIGH

Key Information:

Vendor: WordPress
Status: Lisfinity Core - Lisfinity Core Plugin Used For Pebas® Lisfinity WordPress Theme
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-6042?

The Lisfinity Core plugin, part of the Lisfinity WordPress theme, has a vulnerability that allows for privilege escalation in all versions up to and including 1.4.0. By default, this plugin assigns the editor role, which, while imposed with certain limitations regarding capabilities, does not adequately restrict API usage. This flaw can potentially be exploited in conjunction with other vulnerabilities to grant unauthorized admin privileges, putting WordPress sites at significant risk.

Affected Version(s)

Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme * <= 1.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/lisfinity-classified-ads-wor...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Jun 12, 2025

Credit

Alyudin Nafiie

JSON