CVE-2025-5304 is a critical security vulnerability identified in the PT Project Notebooks plugin for WordPress, specifically affecting versions 1.0.0 through 1.1.3. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before allowing certain actions. The root cause lies in the wpnb_pto_new_users_add() function, which lacks adequate authorization checks. This flaw enables unauthenticated attackers to perform privilege escalation, elevating their access rights to that of an administrator without requiring any authentication or user interaction. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Successful exploitation compromises confidentiality, integrity, and availability of the affected WordPress site, potentially allowing attackers to manipulate project management data, create or delete users, install backdoors, or take full control of the website. Although no patches or updates have been released at the time of publication, the vulnerability is publicly disclosed and documented in the CVE database. The plugin is used for managing meeting minutes, budgets, and task tracking, making it a valuable target for attackers aiming to disrupt business operations or steal sensitive project information.

The impact of CVE-2025-5304 is severe for organizations using the PT Project Notebooks plugin on WordPress sites. An attacker exploiting this vulnerability can gain administrator privileges without authentication, leading to complete site takeover. This includes the ability to modify or delete critical project management data, inject malicious code or backdoors, disrupt business workflows, and potentially pivot to other parts of the network. The loss of confidentiality can expose sensitive corporate information such as budgets and meeting minutes. Integrity violations can corrupt project tracking and task management data, undermining operational reliability. Availability may also be affected if attackers deface the site or deploy ransomware. Given WordPress's widespread use globally and the plugin's role in business productivity, the vulnerability poses a significant risk to enterprises, government agencies, and other organizations relying on this software for project collaboration.

1. Immediate mitigation involves disabling or uninstalling the PT Project Notebooks plugin until a security patch is released by the vendor. 2. Monitor WordPress plugin repositories and vendor communications for updates or patches addressing CVE-2025-5304 and apply them promptly. 3. Restrict access to WordPress admin interfaces using IP whitelisting or VPNs to reduce exposure to unauthenticated attacks. 4. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the wpnb_pto_new_users_add() function or related endpoints. 5. Regularly audit user accounts and permissions to identify unauthorized privilege escalations. 6. Employ intrusion detection systems (IDS) to monitor for anomalous activities indicative of exploitation attempts. 7. Backup WordPress sites and databases frequently to enable recovery in case of compromise. 8. Educate site administrators about the risks and signs of exploitation to enhance incident response readiness.