The Demo Importer Plus plugin for WordPress suffers from a critical authorization bypass vulnerability identified as CVE-2025-14364. The root cause is a missing capability check in the Ajax::handle_request() function, which is responsible for handling AJAX requests within the plugin. This flaw allows any authenticated user with at least Subscriber privileges to invoke this function without proper permission validation. By exploiting this, an attacker can trigger a full site reset operation that drops all database tables except the users and usermeta tables. Subsequently, the WordPress installation routine (wp_install()) is rerun, which recreates the database schema and crucially assigns the Administrator role to the attacker's account. This results in a complete privilege escalation from Subscriber to Administrator. The vulnerability affects all versions up to and including 2.0.8 of the plugin. The CVSS 3.1 score of 8.8 reflects the network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability is straightforward to exploit given authenticated access. This vulnerability falls under CWE-862 (Missing Authorization), highlighting the lack of proper access control checks. The absence of a patch link suggests that a fix may not yet be publicly available, increasing urgency for mitigation.

The impact of CVE-2025-14364 is severe for organizations running WordPress sites with the Demo Importer Plus plugin installed. Attackers with minimal privileges (Subscriber-level) can escalate to full Administrator access, compromising the entire site. This leads to complete loss of data integrity and availability due to the database reset, except for user data. The attacker gains full control over the site, enabling further malicious activities such as data theft, website defacement, malware deployment, or pivoting to other internal systems. The loss of data and administrative control can cause significant operational disruption, reputational damage, and potential regulatory compliance violations. Given WordPress's widespread use globally, the vulnerability poses a substantial risk to small businesses, blogs, and enterprise websites alike. The ease of exploitation without user interaction further exacerbates the threat, making timely mitigation critical.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the WordPress admin area and plugin AJAX endpoints to trusted users only, preferably limiting Subscriber-level accounts or disabling unnecessary accounts. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the Demo Importer Plus plugin's handle_request function. 3) Monitor WordPress logs and audit trails for unusual activities such as unexpected database resets or role changes. 4) Temporarily deactivate or uninstall the Demo Importer Plus plugin if it is not essential to reduce attack surface. 5) Enforce strong authentication and consider multi-factor authentication (MFA) for all user accounts to reduce risk of compromised credentials. 6) Regularly back up the WordPress database and files to enable rapid recovery in case of exploitation. 7) Once available, promptly apply the official patch from the plugin vendor. 8) Review and harden WordPress user roles and permissions to minimize privilege escalation opportunities.