CVE-2025-4672 is a high-severity vulnerability affecting the Offsprout Page Builder plugin for WordPress, specifically versions from 2.2.1 up to 2.15.2. The vulnerability arises from improper authorization checks implemented in the permission_callback() function. This flaw allows authenticated users with Contributor-level privileges or higher to perform unauthorized actions on user meta data. Exploiting this vulnerability, an attacker can read, create, update, or delete any user meta information, including the critical wp_capabilities field. By manipulating wp_capabilities, an attacker can escalate their privileges to administrator level, thereby gaining full control over the WordPress site. The vulnerability is classified under CWE-285 (Improper Authorization) and has a CVSS v3.1 base score of 8.8, indicating a high level of severity. The attack vector is network-based (remote), requires low attack complexity, and only requires privileges of a Contributor or above, with no user interaction needed. The impact on confidentiality, integrity, and availability is high, as an attacker can fully compromise the site, potentially leading to data breaches, defacement, or further lateral movement within the hosting environment. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be treated with urgency. No official patches are listed yet, which increases the risk window for affected users. This vulnerability highlights the critical need for proper authorization checks in WordPress plugins, especially those managing user roles and capabilities.

For European organizations using WordPress sites with the Offsprout Page Builder plugin, this vulnerability poses a significant risk. An attacker with minimal privileges (Contributor or above) can escalate to administrator, potentially compromising the entire website and any connected systems. This can lead to unauthorized data access, defacement, injection of malicious content, or use of the compromised site as a launchpad for further attacks. Organizations relying on WordPress for e-commerce, customer portals, or internal communications could face severe confidentiality breaches and operational disruptions. Given the widespread use of WordPress across Europe, especially among SMEs and public sector entities, the impact could be broad. Additionally, GDPR compliance could be jeopardized if personal data is exposed or altered. The lack of a patch increases the urgency for mitigation to prevent exploitation. The vulnerability also undermines trust in affected organizations’ web presence and can lead to reputational damage and financial losses.

1. Immediate mitigation should include restricting Contributor-level access and above to only trusted users until a patch is available. 2. Implement strict monitoring and logging of user role changes and user meta modifications to detect suspicious activity early. 3. Use Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized API calls targeting the permission_callback() function or user meta endpoints. 4. Consider temporarily disabling or removing the Offsprout Page Builder plugin if it is not critical to operations. 5. Regularly audit user roles and capabilities to ensure no unauthorized privilege escalations have occurred. 6. Follow Offsprout’s official channels for patch releases and apply updates immediately once available. 7. Employ principle of least privilege in WordPress user management to minimize the number of users with Contributor or higher roles. 8. Educate administrators and developers about the risks of improper authorization and encourage secure coding practices for custom plugins or themes.