CVE-2025-5288 is a critical privilege escalation vulnerability found in the WordPress plugin 'REST API | Custom API Generator For Cross Platform And Import Export In WP' developed by weboccults, affecting versions 1.0.0 through 2.0.3. The root cause of this vulnerability is a missing authorization check (CWE-862) in the process_handler() function, which handles POST requests to import data via an arbitrary import_api URL. Due to the lack of capability verification, unauthenticated attackers can craft and send specially formatted JSON payloads to this endpoint, enabling them to create new WordPress users with full Administrator privileges. This effectively bypasses all authentication and authorization mechanisms, granting attackers complete control over the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, as well as its ease of exploitation without any required privileges or user interaction. Although no known exploits have been reported in the wild yet, the straightforward exploitation method and the critical nature of the flaw make it a significant threat to WordPress sites using this plugin. The vulnerability was publicly disclosed on June 13, 2025, and as of this date, no official patches have been released by the vendor, increasing the urgency for mitigation.

For European organizations, this vulnerability poses a severe risk, especially for those relying on WordPress for their web presence, including corporate websites, e-commerce platforms, and internal portals. Successful exploitation allows attackers to gain full administrative control, enabling them to manipulate website content, steal sensitive data, deploy malware, or use the compromised site as a foothold for further network intrusion. This can lead to data breaches involving personal data protected under GDPR, reputational damage, financial losses, and potential regulatory penalties. Given the widespread use of WordPress in Europe and the popularity of plugins that facilitate cross-platform API integrations, the attack surface is significant. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the high value of their data and services. Additionally, the ability to create administrator accounts without authentication could facilitate persistent access and lateral movement within networks, amplifying the threat's impact.

Immediate mitigation steps include: 1) Temporarily disabling or uninstalling the affected plugin until a vendor patch is available; 2) Implementing Web Application Firewall (WAF) rules to block POST requests to the import_api endpoint or to filter suspicious JSON payloads targeting this functionality; 3) Conducting thorough audits of WordPress user accounts to detect and remove any unauthorized administrator accounts created recently; 4) Restricting access to the WordPress admin interface and REST API endpoints via IP whitelisting or VPN access controls where feasible; 5) Monitoring web server and application logs for unusual POST requests or spikes in user creation events; 6) Ensuring WordPress core and all plugins/themes are kept up to date with security patches; 7) Employing intrusion detection systems (IDS) to alert on anomalous activities related to user management; 8) Educating site administrators about the risks of installing unverified plugins and encouraging the use of plugins from reputable sources with active maintenance. Organizations should also prepare incident response plans to quickly remediate any compromise stemming from this vulnerability.