प्लेटफ़ॉर्म
wordpress
घटक
wpc-admin-columns
में ठीक किया गया
2.1.1
CVE-2025-3418 is a privilege escalation vulnerability discovered in the WPC Admin Columns plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their privileges to administrator, granting them full control over the WordPress site. This vulnerability impacts versions 2.0.6 through 2.1.0 and has been addressed with a plugin update.
Successful exploitation of CVE-2025-3418 allows an attacker to gain administrator privileges on a WordPress site. This grants them complete control, including the ability to install malicious plugins, modify themes, access sensitive data, and potentially compromise the entire system. The attacker could exfiltrate user data, inject malicious code, or deface the website. The blast radius extends to all data and functionality accessible through the WordPress installation.
CVE-2025-3418 was publicly disclosed on 2025-04-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a potential for active exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability’s reliance on authenticated access lowers the barrier to entry for attackers.
WordPress websites utilizing the WPC Admin Columns plugin in versions 2.0.6 through 2.1.0 are at risk. Sites with a large number of Subscriber-level users or those with weak password policies are particularly vulnerable. Shared hosting environments where plugin updates are not consistently managed are also at increased risk.
• wordpress / composer / npm:
grep -r 'ajax_edit_save()' /var/www/html/wp-content/plugins/wp-admin-columns/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-admin-columns'• wordpress / composer / npm:
wp plugin update wp-admin-columnsdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.26% (49% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-3418 is to immediately update the WPC Admin Columns plugin to a patched version. If updating is not immediately feasible due to compatibility issues or breaking changes, consider restricting user meta update permissions through custom code or a security plugin. Review user roles and permissions to ensure no unauthorized users have elevated privileges. After upgrading, verify the fix by attempting to escalate a Subscriber account to Administrator using the plugin’s AJAX functionality; the attempt should fail.
Actualice el plugin WPC Admin Columns a la última versión disponible. Esto solucionará la vulnerabilidad de escalada de privilegios permitiendo que solo los usuarios autorizados modifiquen los metadatos de los usuarios.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-3418 is a HIGH severity vulnerability in WPC Admin Columns versions 2.0.6–2.1.0 allowing authenticated Subscribers to escalate to administrator roles.
You are affected if your WordPress site uses WPC Admin Columns version 2.0.6 through 2.1.0. Check your plugin versions immediately.
Update the WPC Admin Columns plugin to the latest available version. If immediate updating is not possible, consider restricting user meta update permissions.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the WPC Admin Columns official website or WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।