CVE-2025-5304 is a critical vulnerability affecting the PT Project Notebooks WordPress plugin developed by blafoley, specifically versions 1.0.0 through 1.1.3. The vulnerability arises from missing authorization checks in the function wpnb_pto_new_users_add(), which is responsible for adding new users. Due to this missing authorization, unauthenticated attackers can exploit the flaw to escalate their privileges to that of an administrator without any prior authentication or user interaction. This type of vulnerability is classified under CWE-862 (Missing Authorization), indicating that the application fails to properly verify whether a user has the necessary permissions before performing sensitive actions. The CVSS v3.1 base score of 9.8 reflects the critical nature of this vulnerability, with an attack vector that is network-based (AV:N), requiring no privileges (PR:N) and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as attackers gaining administrative access can fully control the WordPress site, including modifying content, installing backdoors, stealing sensitive data, or disrupting services. Although no public exploits have been reported yet, the ease of exploitation and the severity of impact make this a significant threat. The vulnerability affects a plugin used for project management tasks such as taking meeting minutes, creating budgets, and tracking tasks, which are often critical functions for organizations relying on WordPress for internal collaboration and documentation.

For European organizations, this vulnerability poses a substantial risk, especially for those using WordPress sites with the PT Project Notebooks plugin for internal project management and collaboration. Successful exploitation could lead to full site compromise, exposing sensitive corporate data, project plans, financial information, and potentially personal data protected under GDPR. The administrative access gained by attackers could be leveraged to deploy malware, ransomware, or conduct further lateral movement within the organization's network. This could result in operational disruptions, reputational damage, regulatory penalties, and financial losses. Given the plugin's role in managing budgets and tasks, the integrity of financial and project data could be severely undermined, affecting decision-making and compliance. The lack of authentication and user interaction required for exploitation increases the likelihood of automated attacks targeting vulnerable installations across Europe.

Immediate mitigation steps include disabling or uninstalling the PT Project Notebooks plugin until a security patch is released. Organizations should monitor official vendor channels and WordPress plugin repositories for updates addressing this vulnerability. In the interim, applying Web Application Firewall (WAF) rules to block requests attempting to invoke the wpnb_pto_new_users_add() function or suspicious user creation activities can reduce exposure. Conduct thorough audits of user accounts to detect unauthorized administrative users and remove them promptly. Implement strict access controls and monitoring on WordPress admin interfaces and logs to identify anomalous activities. Organizations should also consider isolating WordPress instances from critical internal networks to limit potential lateral movement. Regular backups of WordPress sites and databases are essential to enable recovery in case of compromise. Finally, educating site administrators about the risks and signs of exploitation can improve early detection and response.