cbcvebase.
CVE-2025-5701
published 2025-06-05

CVE-2025-5701: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.72%
74.6th percentile
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affected

2 ranges
VendorProductVersion rangeFixed in
msrcazl3_mozjs_102.15.1-1_on_azure_linux_3.0
sitehearthypercomments<= 1.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/index.php?hc_action=update_options
path/wp-content/plugins/hypercomments/readme.txt
command{"default_role":"administrator","users_can_register":"1"}
otherbody="/wp-content/plugins/hypercomments"
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/index.php with the query parameter hc_action=update_options, especially from unauthenticated sessions.
  • A successful exploitation response contains a JSON body matching {"result":"success"}; alert on this pattern in responses to the above endpoint.
  • Attackers fingerprint vulnerable installations by fetching the plugin readme.txt; monitor for unauthenticated GET requests to /wp-content/plugins/hypercomments/readme.txt.
  • The exploit payload sets default_role to administrator and users_can_register to 1; monitor WordPress options table or audit logs for these specific option changes.
  • The vulnerable function is hc_request_handler; monitor server-side logs or WAF rules for invocations of this handler without authentication context.
  • ·The Nuclei template is marked as unverified (verified: false), meaning the detection logic has not been confirmed against a live vulnerable instance and may produce false positives or false negatives.
  • ·Version detection relies on parsing the Stable tag from readme.txt, which can be manually altered or absent, making version-based gating unreliable as a sole detection method.
  • ·The exploit uses Content-Type: application/x-www-form-urlencoded but sends a JSON body; some WAF rules normalizing content-type may not inspect the body correctly — ensure WAF is configured to parse JSON regardless of declared content-type.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.