CVE-2025-5288 is a critical security vulnerability identified in the WordPress plugin 'REST API | Custom API Generator For Cross Platform And Import Export In WP', specifically affecting versions 1.0.0 through 2.0.3. The vulnerability is classified under CWE-862 (Missing Authorization) and stems from the absence of proper capability checks in the process_handler() function. This function handles POST requests to an import_api endpoint, which is intended to facilitate data import/export operations. Due to the missing authorization, unauthenticated attackers can send arbitrary POST requests containing specially crafted JSON payloads. These payloads can manipulate the plugin's import functionality to create new WordPress users with full Administrator privileges without any authentication or user interaction. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Exploitation could lead to complete site compromise, including unauthorized content modification, data theft, or further pivoting within the hosting environment. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability poses a significant risk to WordPress sites using this plugin, especially those exposed to the internet without additional access controls.

The impact of CVE-2025-5288 is severe and far-reaching for organizations running vulnerable versions of the affected WordPress plugin. Successful exploitation allows attackers to escalate privileges from unauthenticated users to full Administrator roles, effectively granting complete control over the WordPress site. This can lead to unauthorized content changes, data exfiltration, installation of backdoors or malware, and disruption of website availability. For businesses relying on WordPress for e-commerce, customer engagement, or content delivery, such a compromise can result in reputational damage, financial loss, and regulatory penalties. Additionally, attackers could leverage the compromised site as a foothold for lateral movement within the hosting infrastructure or to launch further attacks against connected systems. Given the plugin’s role in cross-platform API generation and import/export, the vulnerability could also expose sensitive data or integration points with other systems. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread abuse.

To mitigate CVE-2025-5288, organizations should immediately assess their WordPress installations for the presence of the vulnerable 'REST API | Custom API Generator For Cross Platform And Import Export In WP' plugin, particularly versions 1.0.0 through 2.0.3. If found, the following specific actions are recommended: 1) Disable or uninstall the plugin until a security patch or updated version with proper authorization checks is released by the vendor. 2) Implement Web Application Firewall (WAF) rules to block POST requests to the import_api endpoint or any suspicious API calls targeting the plugin’s functionality. 3) Restrict access to the WordPress REST API endpoints via IP whitelisting or authentication proxies where feasible. 4) Monitor WordPress user accounts for unauthorized creation or privilege changes, and review logs for anomalous POST requests. 5) Harden WordPress security by enforcing strong administrator passwords and enabling multi-factor authentication to reduce the impact of potential account compromise. 6) Stay informed on vendor updates and apply patches promptly once available. 7) Conduct regular security audits and vulnerability scans focusing on plugins and REST API endpoints. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable functionality and attack vectors.