The Starfish Review Generation & Marketing plugin for WordPress suffers from a missing authorization vulnerability identified as CVE-2025-15157 (CWE-862). Specifically, the 'srm_restore_options_defaults' function lacks proper capability checks, allowing any authenticated user with at least Subscriber privileges to invoke it and modify arbitrary WordPress options. This includes critical options such as the default user role for new registrations and enabling user registration itself. By exploiting this, an attacker can set the default role to 'administrator' and enable open user registration, thereby creating new admin accounts without legitimate authorization. This vulnerability affects all plugin versions up to and including 3.1.19. The CVSS v3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, requiring only low privileges, no user interaction, and high impact on confidentiality, integrity, and availability. The flaw allows privilege escalation from low-level authenticated users to full administrative control, compromising the entire WordPress site. No public patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly.

The impact of this vulnerability is severe for organizations running WordPress sites with the Starfish Review Generation & Marketing plugin installed. Attackers with minimal authenticated access can escalate privileges to administrator level, enabling full control over the website. This can lead to unauthorized content modification, data theft, insertion of malicious code or backdoors, defacement, and complete site takeover. The ability to create new admin users also facilitates persistent access and lateral movement within the hosting environment. For e-commerce, membership, or business-critical sites, this could result in significant financial loss, reputational damage, and regulatory compliance violations. The vulnerability affects the confidentiality, integrity, and availability of the affected WordPress installations, potentially impacting millions of sites worldwide given WordPress's market share and the plugin's usage.

Immediate mitigation steps include disabling the Starfish Review Generation & Marketing plugin until a security patch is released. Administrators should restrict user roles to trusted users only and audit existing user accounts for unauthorized administrators. Implementing Web Application Firewall (WAF) rules to block requests invoking the vulnerable function can provide temporary protection. Monitoring logs for suspicious option changes or new admin user creations is critical. Site owners should upgrade to a patched version once available or apply custom patches to enforce capability checks on the 'srm_restore_options_defaults' function. Additionally, enforcing strong authentication mechanisms and limiting user registrations can reduce risk. Regular backups and incident response plans should be in place to recover from potential compromises.