CVE-2025-10299 affects the WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress, which facilitates passwordless login via temporary links. The vulnerability arises from a missing authorization check (CWE-862) on the ctl_create_link AJAX action endpoint. This endpoint is intended to generate temporary login links but lacks proper capability verification, allowing any authenticated user with Subscriber-level privileges or higher to invoke it. By exploiting this flaw, an attacker can create new administrative user accounts without restrictions. Since WordPress roles like Subscriber are commonly assigned to low-privilege users, this vulnerability effectively bypasses intended access controls and escalates privileges to full administrator rights. The vulnerability affects all versions up to and including 1.0.7 of the plugin. The CVSS v3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges at the low level, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability’s nature makes it a critical threat to WordPress sites using this plugin, as attackers can fully compromise site control remotely once authenticated.

The impact of CVE-2025-10299 is severe for organizations using the WPBifröst plugin on WordPress sites. Attackers with minimal authenticated access (Subscriber role) can escalate privileges to administrator, enabling them to create new admin accounts, modify site content, install malicious plugins or backdoors, steal sensitive data, and disrupt site availability. This can lead to complete site takeover, data breaches, defacement, and loss of trust. For businesses relying on WordPress for e-commerce, content management, or customer engagement, such compromise can cause financial loss, reputational damage, and regulatory penalties. The vulnerability’s network accessibility and lack of user interaction requirements increase the risk of automated exploitation and widespread attacks once discovered. Organizations with large user bases or multi-user WordPress environments are particularly at risk, as any low-privilege user account can be leveraged for exploitation.

To mitigate CVE-2025-10299, organizations should immediately audit their WordPress installations for the presence of the WPBifröst plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If the plugin is essential, restrict access to authenticated users by implementing additional access controls or web application firewall (WAF) rules that block unauthorized AJAX requests to ctl_create_link. Monitoring logs for suspicious AJAX activity related to this endpoint can help detect exploitation attempts. Additionally, review user roles and permissions to minimize the number of users with Subscriber or higher privileges, and enforce strong authentication mechanisms to reduce the risk of compromised accounts. Once a patch is available, apply it promptly. Regular backups and incident response plans should be in place to recover from potential compromises.