What the vulnerability does
01Description
The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges.
Explanation of Vulnerability in Simple Terms
02Summary
The aapanel WP Toolkit versions 1.0 through 1.1 lack proper authorization checks, allowing authenticated users with low privileges to perform administrative actions they should not have access to. An attacker with a low-privilege account can read, modify, or delete sensitive data and disrupt site operations. Update to a version newer than 1.1 as soon as a patch is available.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete site data and settings without proper authorization.
Potential impact on your site
04Site Impact
Low-privilege users can perform admin-level actions, compromising data integrity and site availability.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
July 18, 2025
CVE published
July 18, 2025
Record updated