प्लेटफ़ॉर्म
wordpress
घटक
age-restriction
में ठीक किया गया
3.0.3
CVE-2025-11855 describes a privilege escalation vulnerability discovered in the Age Restriction WordPress plugin. This flaw allows authenticated users, even those with subscriber roles, to create new administrator accounts with predetermined credentials. The vulnerability impacts versions 0 through 3.0.2 of the plugin, and a patch is expected to be released by the plugin developer.
The primary impact of CVE-2025-11855 is the ability for lower-privileged users to gain administrative access to a WordPress site. An attacker with subscriber access could exploit this vulnerability to create a new administrator account, effectively taking complete control of the website. This control encompasses modifying content, installing malicious plugins, accessing sensitive data, and potentially pivoting to other systems on the network. The ease of exploitation, requiring only authenticated access, significantly broadens the potential attack surface.
CVE-2025-11855 was publicly disclosed on 2025-11-11. A public proof-of-concept is likely to emerge given the vulnerability's ease of exploitation. The vulnerability is not currently listed on CISA KEV as of this writing. Active exploitation campaigns are possible, particularly targeting websites running older, unpatched versions of the Age Restriction plugin.
Websites utilizing the Age Restriction WordPress plugin, particularly those running versions 0 through 3.0.2, are at risk. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a compromise of one site could potentially lead to access to others. WordPress installations with weak user management practices are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep age-restriction• wordpress / composer / npm:
wp plugin update age-restriction• wordpress / composer / npm:
grep -r 'age_restrictionRemoteSupportRequest' /var/www/html/wp-content/plugins/age-restriction/• wordpress / composer / npm:
wp plugin status age-restrictiondisclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (22% शतमक)
CVSS वेक्टर
The immediate mitigation for CVE-2025-11855 is to upgrade the Age Restriction WordPress plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user roles and permissions to minimize the potential impact. Review user accounts for any suspicious additions. Monitor WordPress logs for unusual activity, particularly attempts to create new administrator accounts. While a WAF may not directly prevent this, it can be configured to flag suspicious requests related to user creation.
कोई ज्ञात पैच उपलब्ध नहीं है। कृपया भेद्यता के विवरण की गहराई से समीक्षा करें और अपने संगठन के जोखिम सहनशीलता के आधार पर शमन उपाय लागू करें। प्रभावित सॉफ़्टवेयर को अनइंस्टॉल करना और प्रतिस्थापन खोजना सबसे अच्छा हो सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-11855 is a HIGH severity vulnerability allowing authenticated users to create admin accounts in the Age Restriction WordPress plugin, potentially granting them full control of the website.
If you are using the Age Restriction WordPress plugin versions 0 through 3.0.2, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the Age Restriction WordPress plugin to the latest available version. Check the plugin developer's website for the patched version.
While no active exploitation has been confirmed, the ease of exploitation suggests active campaigns are possible. Monitor your website and logs for suspicious activity.
Check the Age Restriction plugin developer's website and WordPress plugin repository for the official advisory and patch information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।