Platform
wordpress
Component
lisfinity-core
Fixed in
1.4.1
CVE-2025-6042 describes a privilege escalation vulnerability discovered in the Lisfinity Core plugin, a component used by the pebas® Lisfinity WordPress theme. This flaw allows attackers to potentially gain elevated privileges within a WordPress site by exploiting the plugin's default editor role assignment and unrestricted API access. The vulnerability impacts versions 1.0.0 through 1.4.0 of the plugin, and a fix is currently available.
The core of this vulnerability lies in the plugin's default configuration, which assigns the 'editor' role to users. While some capability limitations are present, the plugin lacks restrictions on API usage. This means an attacker, potentially with limited initial access, can leverage the API to bypass intended security controls. Crucially, this vulnerability can be chained with CVE-2025-6038 to achieve full administrator privileges. Successful exploitation could lead to complete control over the WordPress site, including data modification, deletion, and the installation of malicious code. The blast radius extends to all data and functionality accessible through the compromised WordPress installation.
As of the publication date (2025-10-15), the vulnerability is publicly disclosed. The potential for exploitation is considered medium due to the requirement of chaining with CVE-2025-6038. Public proof-of-concept (POC) code may become available, increasing the risk of exploitation. Monitor security advisories and vulnerability databases for updates and potential KEV listing.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6042 is to upgrade the Lisfinity Core plugin to a patched version as soon as it becomes available. Until a patch is released, consider restricting API access for users with the 'editor' role. WordPress administrators should review user roles and permissions to ensure that only necessary privileges are granted. Implementing a Web Application Firewall (WAF) with rules to block suspicious API requests targeting the plugin can provide an additional layer of defense. Monitor WordPress logs for unusual API activity or attempts to escalate privileges.
Actualice el plugin Lisfinity Core a una versión corregida. La vulnerabilidad permite la escalada de privilegios asignando el rol de editor por defecto. Verifique las actualizaciones disponibles en el repositorio de WordPress o contacte al desarrollador para obtener una versión corregida.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6042 is a privilege escalation vulnerability affecting the Lisfinity Core plugin for WordPress, allowing potential admin access due to default editor role assignment and unrestricted API access.
You are affected if your WordPress site uses the Lisfinity Core plugin in versions 1.0.0 through 1.4.0. Check your plugin versions immediately.
Upgrade the Lisfinity Core plugin to the latest available version as soon as a patch is released. Until then, restrict API access for editor roles.
The vulnerability has been publicly disclosed, and the potential for exploitation is considered medium. Monitor security advisories for confirmed exploitation.
Refer to the Lisfinity website and WordPress plugin repository for official advisories and updates regarding CVE-2025-6042.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.