CVE-2025-5701
published 2025-06-05CVE-2025-5701: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.72%
74.6th percentile
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
| siteheart | hypercomments | <= 1.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/index.php with the query parameter hc_action=update_options, especially from unauthenticated sessions. ↗
- →A successful exploitation response contains a JSON body matching {"result":"success"}; alert on this pattern in responses to the above endpoint. ↗
- →Attackers fingerprint vulnerable installations by fetching the plugin readme.txt; monitor for unauthenticated GET requests to /wp-content/plugins/hypercomments/readme.txt. ↗
- →The exploit payload sets default_role to administrator and users_can_register to 1; monitor WordPress options table or audit logs for these specific option changes. ↗
- →The vulnerable function is hc_request_handler; monitor server-side logs or WAF rules for invocations of this handler without authentication context. ↗
- ·The Nuclei template is marked as unverified (verified: false), meaning the detection logic has not been confirmed against a live vulnerable instance and may produce false positives or false negatives. ↗
- ·Version detection relies on parsing the Stable tag from readme.txt, which can be manually altered or absent, making version-based gating unreliable as a sole detection method. ↗
- ·The exploit uses Content-Type: application/x-www-form-urlencoded but sends a JSON body; some WAF rules normalizing content-type may not inspect the body correctly — ensure WAF is configured to parse JSON regardless of declared content-type. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v36x-3fmp-47fp: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capab
ghsa_unreviewed·2025-06-05
CVE-2025-5701 [CRITICAL] CWE-862 GHSA-v36x-3fmp-47fp: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capab
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Microsoft
Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
vendor_msrc·2024-06-11·CVSS 9.8
CVE-2024-5701 [CRITICAL] CWE-787 Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is i
No detection rules found.
Nuclei
HyperComments <= 1.2.2 - Arbitrary Options Update
nuclei·CVSS 8.8
CVE-2025-5701 [HIGH] HyperComments <= 1.2.2 - Arbitrary Options Update
HyperComments <= 1.2.2 - Arbitrary Options Update
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Template:
id: CVE-2025-5701
info:
name: HyperComments <= 1.2.2 - Arbitrary Options Update
author: kylew1004
severity: critical
description: |
The HyperComments plugin for WordPress is vulnerable to unauthorized modifi
No writeups or analysis indexed.
2025-06-05
Published