cbcvebase.
CVE-2025-5288
published 2025-06-13

CVE-2025-5288: The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.8th percentile
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.

Affected

11 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 2.6.12 < 5.10.2485.10.248
linuxlinux_kernel>= 5.11.0 < 5.15.1985.15.198
linuxlinux_kernel>= 5.16.0 < 6.1.1606.1.160
linuxlinux_kernel>= 6.13.0 < 6.18.36.18.3
linuxlinux_kernel>= 6.2.0 < 6.6.1206.6.120
linuxlinux_kernel>= 6.7.0 < 6.12.646.12.64
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
weboccultsrest_api_custom_api_generator_for_cross_platform_and_import_export_in_wp1.0.0 – 2.0.3

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc5.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.