Platform
wordpress
Component
age-restriction
Fixed in
3.0.3
CVE-2025-11855 describes a privilege escalation vulnerability discovered in the Age Restriction WordPress plugin. This flaw allows authenticated users, even those with subscriber roles, to create new administrator accounts with predetermined credentials. The vulnerability impacts versions 0 through 3.0.2 of the plugin, and a patch is expected to be released by the plugin developer.
The primary impact of CVE-2025-11855 is the ability for lower-privileged users to gain administrative access to a WordPress site. An attacker with subscriber access could exploit this vulnerability to create a new administrator account, effectively taking complete control of the website. This control encompasses modifying content, installing malicious plugins, accessing sensitive data, and potentially pivoting to other systems on the network. The ease of exploitation, requiring only authenticated access, significantly broadens the potential attack surface.
CVE-2025-11855 was publicly disclosed on 2025-11-11. A public proof-of-concept is likely to emerge given the vulnerability's ease of exploitation. The vulnerability is not currently listed on CISA KEV as of this writing. Active exploitation campaigns are possible, particularly targeting websites running older, unpatched versions of the Age Restriction plugin.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The immediate mitigation for CVE-2025-11855 is to upgrade the Age Restriction WordPress plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user roles and permissions to minimize the potential impact. Review user accounts for any suspicious additions. Monitor WordPress logs for unusual activity, particularly attempts to create new administrator accounts. While a WAF may not directly prevent this, it can be configured to flag suspicious requests related to user creation.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11855 is a HIGH severity vulnerability allowing authenticated users to create admin accounts in the Age Restriction WordPress plugin, potentially granting them full control of the website.
If you are using the Age Restriction WordPress plugin versions 0 through 3.0.2, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the Age Restriction WordPress plugin to the latest available version. Check the plugin developer's website for the patched version.
While no active exploitation has been confirmed, the ease of exploitation suggests active campaigns are possible. Monitor your website and logs for suspicious activity.
Check the Age Restriction plugin developer's website and WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.