Plateforme
wordpress
Composant
mementor-core
Corrigé dans
2.2.6
CVE-2025-11168 describes a Privilege Escalation vulnerability discovered in the Mementor Core WordPress plugin. An attacker with Subscriber-level access or higher can exploit this flaw to gain administrator privileges, potentially compromising the entire WordPress site. This vulnerability affects versions 0.0.0 through 2.2.5, and a patch is available in version 2.2.6.
Successful exploitation of CVE-2025-11168 allows an authenticated attacker to bypass access controls and assume the role of an administrator. This grants them complete control over the WordPress site, including the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The impact is significant, as a compromised administrator account can lead to a full site takeover and data breach. This vulnerability highlights the importance of proper user access controls and secure coding practices within WordPress plugins.
CVE-2025-11168 was publicly disclosed on 2025-11-11. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, given the requirement of only authenticated Subscriber access, suggests a potential for exploitation if widely publicized.
WordPress sites utilizing the Mementor Core plugin, particularly those with Subscriber-level users who have access to administrative functions or are part of shared hosting environments, are at risk. Sites with legacy configurations or those that haven't implemented robust user access controls are especially vulnerable.
• wordpress / composer / npm:
grep -r 'switch_back_user' /var/www/html/wp-content/plugins/mementor-core/• wordpress / composer / npm:
wp plugin list --status=active | grep mementor-core• wordpress / composer / npm:
wp plugin update mementor-core --alldisclosure
Statut de l'Exploit
EPSS
0.07% (percentile 22%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-11168 is to immediately upgrade the Mementor Core plugin to version 2.2.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the user switch back functionality. While not a complete fix, this can limit the attacker's ability to exploit the vulnerability. Monitor WordPress access logs for suspicious activity, particularly attempts to access administrative functions from accounts with lower privileges. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to exploit the user switch back functionality.
Actualice el plugin Mementor Core a la versión 2.2.6 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige el manejo incorrecto de la función de cambio de usuario, previniendo que atacantes con privilegios de suscriptor puedan acceder a cuentas de administrador.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-11168 is a high-severity vulnerability in the Mementor Core WordPress plugin allowing authenticated subscribers to escalate privileges to administrator accounts due to improper user switch back handling.
You are affected if you are using Mementor Core versions 0.0.0 through 2.2.5. Upgrade to 2.2.6 to resolve the issue.
Upgrade the Mementor Core plugin to version 2.2.6 or later. If immediate upgrade is not possible, restrict access to the user switch back functionality.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes for version 2.2.6.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.