CVE-2025-10299 is a critical privilege escalation vulnerability identified in the WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress, affecting all versions up to and including 1.0.7. The root cause is a missing authorization check on the ctl_create_link AJAX action, which fails to verify whether the authenticated user has the necessary capabilities to perform this action. As a result, any authenticated user with Subscriber-level access or higher can invoke this AJAX endpoint to create new administrative user accounts. This bypasses WordPress's standard role-based access controls, allowing attackers to escalate privileges from low-level accounts to full administrator rights. Once administrative access is obtained, attackers can fully compromise the website, including modifying content, installing backdoors, stealing sensitive data, or disrupting service. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication, making it highly dangerous in environments where subscriber or low-level accounts are permitted. The CVSS 3.1 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a significant threat. The vulnerability was reserved in early September 2025 and published in mid-October 2025, but no official patches or updates have been linked yet, indicating that affected sites remain vulnerable until mitigations are applied.

For European organizations, this vulnerability poses a severe risk to WordPress-based websites, especially those that allow user registrations at Subscriber level or higher. Attackers exploiting this flaw can gain full administrative control, leading to potential data breaches, website defacement, unauthorized data manipulation, and service disruptions. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and financial losses. Organizations relying on WordPress for e-commerce, customer portals, or internal communications are particularly vulnerable. The ease of exploitation means that attackers do not need sophisticated skills or social engineering to leverage this vulnerability once they have low-level access. Given the widespread use of WordPress across Europe, the potential attack surface is large, and the impact can extend to critical sectors such as government, finance, healthcare, and media. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the risk of rapid exploitation remains high.

1. Immediately restrict access to the ctl_create_link AJAX action by implementing custom capability checks or disabling the AJAX endpoint if not required. 2. Monitor user accounts with Subscriber-level access and above for suspicious activity, particularly unexpected creation of new administrator accounts. 3. Enforce strict user registration policies, including manual approval and multi-factor authentication for elevated roles. 4. Regularly audit WordPress user roles and permissions to detect unauthorized privilege escalations. 5. Apply principle of least privilege by limiting the number of users with elevated access. 6. Once available, promptly update the WPBifröst plugin to a patched version that includes proper authorization checks. 7. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting the vulnerable endpoint. 8. Conduct security awareness training for administrators to recognize signs of compromise. 9. Backup WordPress sites regularly and verify backup integrity to enable rapid recovery if compromise occurs. 10. Consider isolating WordPress instances or using containerization to limit lateral movement in case of exploitation.