CVE-2025-6380 is a critical security vulnerability affecting the ONLYOFFICE Docs plugin for WordPress, specifically versions 1.1.0 through 2.2.0. The vulnerability arises from a missing authorization check in the oo.callback REST endpoint. While the plugin verifies that the encrypted attachment ID corresponds to an existing attachment post, it fails to authenticate or verify the identity and permissions of the requester. This flaw allows unauthenticated attackers to escalate privileges by impersonating arbitrary users without any authentication or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper access control. The CVSS v3.1 score of 9.8 reflects the critical nature of this issue, with an attack vector that is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and impacting confidentiality, integrity, and availability at a high level (C:H/I:H/A:H). Exploitation could lead to full account takeover, unauthorized data access, and potential system compromise within WordPress environments using the affected ONLYOFFICE Docs plugin versions. No known exploits have been reported in the wild as of the publication date (July 24, 2025), but the severity and ease of exploitation make it a significant threat that demands immediate attention from administrators and security teams.

For European organizations, this vulnerability poses a substantial risk, especially those relying on WordPress sites integrated with ONLYOFFICE Docs for document management and collaboration. Successful exploitation could allow attackers to impersonate any user, including administrators, leading to unauthorized access to sensitive corporate documents, confidential client data, and internal communications. This could result in data breaches violating GDPR and other data protection regulations, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete critical documents, disrupt business operations, or use compromised accounts as a foothold for further network intrusion. Given the widespread use of WordPress across various sectors in Europe, including government, education, and private enterprises, the potential impact is broad and severe. The vulnerability's network-exploitable nature means attacks could originate remotely without prior access, increasing the threat surface significantly.

Immediate mitigation steps include upgrading ONLYOFFICE Docs plugin to a patched version once available, as no patch links are currently provided. Until a patch is released, organizations should consider disabling the ONLYOFFICE Docs plugin or restricting access to the oo.callback REST endpoint via web application firewalls (WAFs) or reverse proxies to limit exposure. Implement strict network segmentation and IP whitelisting to restrict access to WordPress admin and plugin endpoints. Monitoring and logging REST API calls for unusual activity can help detect exploitation attempts. Additionally, enforce strong authentication and authorization policies at the WordPress level, including multi-factor authentication for administrative accounts. Regularly audit user permissions and review plugin usage to minimize unnecessary exposure. Organizations should also prepare incident response plans specific to this vulnerability to quickly contain and remediate any exploitation.