CVE-2025-5483 is a critical privilege escalation vulnerability identified in the niaj Connector Wizard WordPress plugin, previously known as LC Wizard, specifically affecting versions 1.2.10 through 1.3.0. The root cause is a missing capability check in the file ghl-wizard/inc/wp_user.php, which fails to verify whether a user has the necessary permissions before allowing user account creation. This flaw enables unauthenticated attackers to exploit the plugin's PRO functionality to create new user accounts with administrator privileges. Since WordPress administrator accounts have full control over the site, including plugin and theme management, content modification, and user management, exploitation can lead to complete site compromise. The vulnerability does not require any prior authentication or user interaction, increasing its risk. The CVSS 3.1 score of 8.1 reflects the network attack vector, high impact on confidentiality, integrity, and availability, and the lack of required privileges or user interaction. Although no public exploits have been reported yet, the vulnerability's nature makes it a prime target for attackers seeking to gain persistent and elevated access to WordPress sites. The vulnerability was reserved in June 2025 and published in November 2025, indicating recent discovery and disclosure. No patches are currently linked, so mitigation relies on disabling vulnerable functionality or applying vendor updates when available. The vulnerability is classified under CWE-862 (Missing Authorization), highlighting the failure to enforce proper access controls in the plugin's user management code.

For European organizations, this vulnerability poses a significant risk of unauthorized full administrative access to WordPress sites using the niaj Connector Wizard plugin with PRO functionality enabled. Attackers can create administrator accounts without authentication, leading to potential data breaches, defacement, malware implantation, or use of compromised sites as attack platforms. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR where unauthorized access to personal data must be prevented. Organizations relying on WordPress for public-facing websites, e-commerce, or internal portals are particularly vulnerable. The ease of exploitation and high impact on confidentiality, integrity, and availability make this a critical threat. Additionally, the lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur. Failure to address this vulnerability could result in significant operational and financial damage.

1. Immediately disable the PRO functionality of the niaj Connector Wizard plugin until a security patch is released by the vendor. 2. Monitor WordPress user accounts for any unauthorized creation of administrator-level users and remove suspicious accounts promptly. 3. Restrict access to WordPress admin areas using IP whitelisting or VPNs to limit exposure. 4. Implement Web Application Firewalls (WAF) with rules to detect and block suspicious requests targeting the plugin endpoints. 5. Regularly audit installed plugins and remove or replace those that are outdated or no longer maintained. 6. Ensure WordPress core, themes, and plugins are kept up to date with security patches as soon as they become available. 7. Employ multi-factor authentication (MFA) for all administrator accounts to reduce risk if unauthorized accounts are created. 8. Conduct security awareness training for site administrators to recognize and respond to suspicious activities. 9. Backup WordPress sites regularly and verify restoration procedures to minimize downtime in case of compromise. 10. Engage with the plugin vendor or community to track patch releases and vulnerability disclosures related to this issue.