CVE-2025-4103 is a critical authorization vulnerability classified under CWE-285, affecting the WP-GeoMeta plugin for WordPress, specifically versions 0.3.4 and 0.3.5. The vulnerability stems from the absence of a proper capability check in the wp_ajax_wpgm_start_geojson_import() AJAX handler function. This function is intended to import GeoJSON data but fails to verify whether the requesting user has sufficient privileges before executing. As a result, any authenticated user with at least Subscriber-level access can invoke this function to escalate their privileges to that of an administrator. The vulnerability is remotely exploitable without user interaction, leveraging WordPress's AJAX infrastructure. The CVSS v3.1 base score is 8.8, indicating high severity, with attack vector as network, low attack complexity, privileges required as low (authenticated user), no user interaction, and impacts on confidentiality, integrity, and availability all rated high. This flaw could allow attackers to gain full control over the WordPress site, including installing malicious plugins, modifying content, or stealing sensitive data. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a significant risk for affected sites. The lack of an official patch at the time of publication necessitates immediate attention from site administrators using the vulnerable plugin versions.

The impact of CVE-2025-4103 is substantial for organizations running WordPress sites with the WP-GeoMeta plugin versions 0.3.4 or 0.3.5. Successful exploitation grants attackers full administrative privileges, enabling them to manipulate site content, install backdoors, exfiltrate sensitive data, or disrupt site availability. This can lead to data breaches, defacement, loss of customer trust, and potential regulatory penalties. Since the vulnerability requires only authenticated access at a low privilege level, it lowers the barrier for attackers who may gain Subscriber accounts through phishing, credential stuffing, or other means. The widespread use of WordPress globally, combined with the plugin's niche but relevant functionality for geospatial data, means that targeted attacks could affect organizations in sectors like real estate, logistics, and local services. The absence of known exploits currently provides a window for mitigation, but the high severity score underscores the urgency to address the issue before active exploitation emerges.

To mitigate CVE-2025-4103, organizations should immediately audit their WordPress installations for the presence of the WP-GeoMeta plugin, specifically versions 0.3.4 and 0.3.5. Until an official patch is released, administrators can implement the following specific measures: 1) Disable or remove the WP-GeoMeta plugin if its functionality is not critical. 2) Restrict access to the wp-admin/admin-ajax.php endpoint via web application firewall (WAF) rules to limit AJAX calls to trusted IP addresses or authenticated users with higher privileges. 3) Implement custom code to add capability checks on the wp_ajax_wpgm_start_geojson_import() action hook, ensuring only administrators can invoke it. 4) Enforce strong authentication and monitor for unusual privilege escalation attempts in WordPress logs. 5) Regularly update WordPress core and plugins to the latest versions once a patch is available. 6) Employ security plugins that can detect and block unauthorized privilege escalation attempts. These targeted mitigations go beyond generic advice by focusing on the vulnerable function and access controls specific to this plugin.