Scan free
CRITICALCVE-2025-0177CVSS 9.8

CVE-2025-0177: Privilege Escalation in Javo Core

Platform

wordpress

Component

javo-core

Fixed in

3.0.1

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026
View on NVD
Save

CVE-2025-0177 is a critical privilege escalation vulnerability affecting the Javo Core plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by simply creating a new user account. The vulnerability impacts versions 0 through 3.0.0.080 of the plugin. A patch is expected from the vendor.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker exploiting CVE-2025-0177 can gain complete control over a WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially use the compromised site to launch further attacks against other systems. The ease of exploitation – requiring only account creation – significantly increases the risk of widespread compromise, particularly for sites with weak security practices.

Exploitation Context

This vulnerability is considered high risk due to its critical CVSS score and the ease of exploitation. Public proof-of-concept code is likely to emerge quickly, increasing the likelihood of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity. The vulnerability was publicly disclosed on 2025-03-08.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.73% (73% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentjavo-core
Vendorjavothemes
Affected rangeFixed in
0 – 3.0.0.0803.0.1

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 442 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-0177 is to upgrade to a patched version of the Javo Core plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling user registration on the WordPress site to prevent attackers from creating administrator accounts. Implementing a Web Application Firewall (WAF) with rules to block suspicious account creation attempts can also provide a layer of defense. Regularly review user accounts and permissions to identify and remove any unauthorized administrator accounts.

How to fix

Update the Javo Core plugin to a patched version. The vulnerability allows unauthenticated users to assign administrator roles, so applying the update is crucial to mitigate the risk of privilege escalation.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-0177 — Privilege Escalation in Javo Core?

CVE-2025-0177 is a critical vulnerability in the Javo Core WordPress plugin that allows unauthenticated attackers to gain administrator privileges by creating new user accounts, granting them full control over the website.

Am I affected by CVE-2025-0177 in Javo Core?

If you are using Javo Core plugin versions 0 through 3.0.0.080, you are potentially affected by this vulnerability. Check your plugin version and upgrade as soon as a patch is available.

How do I fix CVE-2025-0177 in Javo Core?

The recommended fix is to upgrade to a patched version of the Javo Core plugin. Until a patch is released, disable user registration or implement a WAF to block suspicious account creation attempts.

Is CVE-2025-0177 being actively exploited?

While active exploitation is not yet confirmed, the vulnerability's critical severity and ease of exploitation suggest it is likely to be targeted soon. Monitor security advisories and threat intelligence feeds.

Where can I find the official Javo Core advisory for CVE-2025-0177?

Refer to the Javo Core plugin's official website or WordPress plugin repository for the latest security advisory and patch information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs