CVE-2025-39405 HIGH

CVE-2025-39405: WordPress WPAMS plugin <= 44.0 (17-08-2023) - Privilege Escalation vulnerability

Vendor Mojoomla
Product WPAMS
Weakness CWE-266
Published May 19, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect Privilege Assignment vulnerability in mojoomla WPAMS apartment-management allows Privilege Escalation.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).

Explanation of Vulnerability in Simple Terms

02Summary

WPAMS for Joomla versions up to 44.0 contain an insufficient privilege validation flaw. An authenticated user with low-level permissions can read, modify, or delete sensitive data and perform administrative actions they should not have access to. The vulnerability requires a valid user account but no additional user interaction. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data and perform admin actions without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter sensitive site data, user accounts, and configuration.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the Joomla site.

Key dates

06Disclosure timeline

May 19, 2025 CVE published
April 28, 2026 Record updated