CVE-2025-6813 HIGH

CVE-2025-6813: aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function

Vendor Aapanel
Product aapanel WP Toolkit
Weakness CWE-862 · Missing authorization
Published July 18, 2025
Last update July 18, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges.

Explanation of Vulnerability in Simple Terms

02Summary

The aapanel WP Toolkit versions 1.0 through 1.1 lack proper authorization checks, allowing authenticated users with low privileges to perform administrative actions they should not have access to. An attacker with a low-privilege account can read, modify, or delete sensitive data and disrupt site operations. Update to a version newer than 1.1 as soon as a patch is available.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and settings without proper authorization.

Potential impact on your site

04Site Impact

Low-privilege users can perform admin-level actions, compromising data integrity and site availability.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

July 18, 2025 CVE published
July 18, 2025 Record updated

Related vulnerabilities

08Related CVE