Plattform
wordpress
Komponente
wp-foodbakery
Behoben in
4.7.1
CVE-2025-0180 is a privilege escalation vulnerability affecting the WP Foodbakery plugin for WordPress. This flaw allows unauthenticated attackers to register on a WordPress site with administrator privileges. The vulnerability impacts versions 0.0.0 through 4.7, and a patch is available to address the issue.
The impact of CVE-2025-0180 is severe. An attacker exploiting this vulnerability can bypass authentication and directly register as an administrator. This grants them complete control over the WordPress site, including access to sensitive data, modification of content, installation of malicious plugins, and potentially even access to the underlying server. The ability to create an administrator account without authentication represents a significant security breach with far-reaching consequences. This vulnerability is particularly concerning given the widespread use of WordPress and the popularity of the WP Foodbakery plugin.
CVE-2025-0180 was publicly disclosed on 2025-02-11. While no public proof-of-concept (PoC) code has been released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability's criticality and ease of exploitation suggest a medium probability of exploitation, especially given the plugin's popularity. It is not currently listed on the CISA KEV catalog.
Websites using the WP Foodbakery plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where plugin updates are not managed by the website owner are also especially vulnerable. Sites relying on WP Foodbakery for critical functionality or storing sensitive user data face the highest potential impact.
• wordpress / composer / npm:
grep -r 'update_user_meta' /var/www/html/wp-content/plugins/wp-foodbakery/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-foodbakery• wordpress / composer / npm:
wp plugin update wp-foodbakery --alldisclosure
Exploit-Status
EPSS
0.43% (62% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-0180 is to immediately upgrade the WP Foodbakery plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or implementing stricter user role assignment policies. While not a complete solution, these workarounds can reduce the attack surface. Review user registration processes for any unusual administrator accounts. After upgrading, verify the fix by attempting to register a new user with administrator privileges – the registration should fail.
Actualice el plugin WP Foodbakery a la última versión disponible para mitigar la vulnerabilidad de escalada de privilegios. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-0180 is a critical vulnerability in the WP Foodbakery WordPress plugin allowing unauthenticated users to register as administrators. It impacts versions 0.0.0–4.7 due to improper user meta restrictions.
If you are using WP Foodbakery version 0.0.0 through 4.7, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the WP Foodbakery plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting user registration.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a potential target for attackers. Continuous monitoring is advised.
Refer to the WP Foodbakery plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.