CVE-2025-14364 is a critical authorization bypass vulnerability classified under CWE-862 (Missing Authorization) affecting the Demo Importer Plus plugin for WordPress. The root cause lies in the lack of a capability check within the Ajax::handle_request() function, which is responsible for handling AJAX requests related to demo content importation. This flaw allows any authenticated user with Subscriber-level privileges or higher to invoke this function and trigger a full site reset. The reset operation drops all database tables except for users and usermeta, effectively wiping out site content, settings, and configurations. Subsequently, the WordPress installation routine (wp_install()) is re-executed, which includes creating an Administrator account and assigning the Administrator role to the attacking user. This results in privilege escalation from a low-privilege user to full administrative control. The vulnerability affects all versions of the plugin up to and including 2.0.8. The CVSS v3.1 score is 8.8 (High), reflecting the network attack vector, low attack complexity, requirement for low privileges, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability’s nature makes it a prime target for attackers seeking to compromise WordPress sites. The absence of a patch at the time of reporting necessitates immediate defensive measures to prevent exploitation.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites, particularly those using the Demo Importer Plus plugin. Exploitation can lead to complete data loss, including content, configurations, and customizations, severely disrupting business operations and online presence. The automatic assignment of Administrator privileges to an attacker compromises site integrity and confidentiality, enabling further malicious activities such as data theft, malware deployment, or use of the site as a pivot point for broader network attacks. Organizations in sectors relying heavily on WordPress for customer engagement, e-commerce, or internal portals may face reputational damage and regulatory consequences under GDPR if personal data is exposed or lost. The ease of exploitation by low-privilege users increases the threat surface, especially in environments with multiple user accounts or where subscriber roles are assigned to external contributors or customers. The lack of known exploits in the wild currently offers a window for proactive defense, but the high severity score indicates urgent attention is required to mitigate potential impacts.

1. Immediately audit and restrict user roles to minimize the number of accounts with Subscriber-level or higher access, especially those that are externally accessible. 2. Disable or uninstall the Demo Importer Plus plugin if it is not essential to operations until a security patch is released. 3. Monitor WordPress logs and AJAX request patterns for unusual activity targeting the Ajax::handle_request() function. 4. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests related to the plugin’s demo import functionality. 5. Regularly back up WordPress databases and files to enable rapid restoration in case of exploitation. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Educate site administrators and developers about the risks of privilege escalation vulnerabilities and enforce the principle of least privilege for all user accounts. 8. Consider deploying intrusion detection systems (IDS) that can alert on privilege escalation attempts within WordPress environments.