CVE-2025-6380 is a critical security vulnerability identified in the ONLYOFFICE Docs plugin for WordPress, specifically affecting versions 1.1.0 through 2.2.0. The root cause is a missing authorization check in the oo.callback REST API endpoint. This endpoint is designed to handle callbacks related to encrypted attachment IDs. However, the plugin's permission callback only verifies that the encrypted attachment ID maps to an existing attachment post, without validating the identity or capabilities of the requester. Consequently, an unauthenticated attacker can exploit this flaw to impersonate any user by supplying a valid encrypted attachment ID, effectively escalating privileges without authentication or user interaction. This vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability. The vulnerability allows attackers to gain unauthorized access to user accounts, potentially leading to data theft, unauthorized document modifications, or disruption of services. Although no active exploits have been reported in the wild, the ease of exploitation and the severity of impact make this a high-risk vulnerability. The lack of patches at the time of publication necessitates immediate attention from organizations using ONLYOFFICE Docs in WordPress environments.

The impact of CVE-2025-6380 is severe for organizations using ONLYOFFICE Docs integrated with WordPress. An attacker can gain unauthorized access to arbitrary user accounts without authentication, leading to full compromise of user data and permissions. This can result in unauthorized disclosure of sensitive documents, unauthorized modifications or deletions of content, and potential disruption of document collaboration workflows. The breach of confidentiality and integrity can damage organizational reputation, lead to regulatory compliance violations, and cause operational downtime. Since the vulnerability affects a widely used document collaboration plugin, organizations relying on ONLYOFFICE Docs for internal or external document management are at significant risk. The vulnerability's network-exploitable nature and lack of required user interaction increase the likelihood of automated attacks or mass exploitation attempts once public exploit code becomes available.

To mitigate CVE-2025-6380, organizations should immediately upgrade ONLYOFFICE Docs WordPress plugin to a version where the vulnerability is patched once available. Until a patch is released, implement the following specific mitigations: 1) Restrict access to the oo.callback REST endpoint by applying web application firewall (WAF) rules that block unauthenticated requests or requests from untrusted IP addresses. 2) Disable or limit the use of the ONLYOFFICE Docs plugin if feasible, especially on publicly accessible WordPress sites. 3) Monitor web server and application logs for suspicious access patterns targeting the oo.callback endpoint or unusual attachment ID requests. 4) Enforce strict WordPress user role and capability management to minimize the impact of compromised accounts. 5) Consider isolating ONLYOFFICE Docs functionality behind VPN or internal networks to reduce exposure. 6) Educate administrators and users about the risk and encourage vigilance for unusual account activity. These targeted mitigations go beyond generic advice by focusing on access control and monitoring specific to the vulnerable endpoint.