CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
What the vulnerability does
The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges.
Explanation of Vulnerability in Simple Terms
The Lisfinity Core WordPress plugin through version 1.4.0 contains a privilege management flaw that allows unauthenticated attackers to read sensitive data, modify content, or disrupt site availability. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update the plugin immediately to a version newer than 1.4.0.
What an attacker can do
Read sensitive data, modify site content, or cause the site to become unavailable without needing to log in.
Potential impact on your site
Unauthorized users can access private information, alter pages/posts, or disrupt site operations without credentials.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
