Platform
wordpress
Component
wp-foodbakery
Fixed in
4.7.1
CVE-2025-0180 is a privilege escalation vulnerability affecting the WP Foodbakery plugin for WordPress. This flaw allows unauthenticated attackers to register on a WordPress site with administrator privileges. The vulnerability impacts versions 0.0.0 through 4.7, and a patch is available to address the issue.
The impact of CVE-2025-0180 is severe. An attacker exploiting this vulnerability can bypass authentication and gain full administrative control over the affected WordPress site. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire server. The ease of exploitation – requiring only registration – significantly increases the risk of widespread attacks targeting sites using WP Foodbakery.
CVE-2025-0180 was publicly disclosed on 2025-02-11. Currently, there are no known public proof-of-concept exploits available. The vulnerability's ease of exploitation and the popularity of the WP Foodbakery plugin suggest it could become a target for automated attacks. Monitor WordPress security forums and vulnerability databases for updates.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0180 is to immediately upgrade the WP Foodbakery plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to verified email addresses or implementing stricter user role assignment policies. While not a complete solution, these workarounds can reduce the attack surface. After upgrading, confirm the fix by attempting to register a new user without administrator privileges and verifying that the account is created with a standard user role.
Update the WP Foodbakery plugin to the latest available version to mitigate the privilege escalation vulnerability. Ensure you perform a full backup of your website before updating any plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0180 is a critical vulnerability in the WP Foodbakery WordPress plugin allowing unauthenticated users to register as administrators. It impacts versions 0.0.0–4.7 due to improper user meta restrictions.
If you are using WP Foodbakery version 0.0.0 through 4.7, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the WP Foodbakery plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting user registration.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a potential target for attackers. Continuous monitoring is advised.
Refer to the WP Foodbakery plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.