Privilege Escalation Vulnerability in ONLYOFFICE Docs Plugin for WordPress
CVE-2025-6380

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Onlyoffice Docs
Vendor: CVE Published:; 24 July 2025

What is CVE-2025-6380?

The ONLYOFFICE Docs plugin for WordPress presents a security flaw due to inadequate authorization checks within its oo.callback REST endpoint. Affected versions from 1.1.0 to 2.2.0 permit unauthenticated attackers to potentially escalate privileges by leveraging the lack of identity verification in the permission callback. Consequently, attackers may impersonate arbitrary users by simply supplying an encrypted attachment ID, posing a severe risk to user accounts within the WordPress environment.

Affected Version(s)

ONLYOFFICE Docs 1.1.0 <= 2.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/onlyoffice/tag...

https://wordpress.org/plugins/onlyoffice/#developers

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2025
Vulnerability Reserved
Jun 19, 2025

Credit

Kenneth Dunn