CVE-2025-6441: CWE-862 Missing Authorization in tobias_conrad WebinarIgnition – Live, Automated & Evergreen Webinars for WooCommerce
The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.32. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumstances, issuing authorization cookies which can lead to authentication bypass.
AI Analysis
Technical Summary
CVE-2025-6441 is a missing authorization vulnerability (CWE-862) in the WebinarIgnition plugin for WordPress, specifically in the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions. Due to the absence of capability checks, unauthenticated attackers can generate login tokens for arbitrary WordPress users, leading to authentication bypass. This vulnerability affects all versions up to 4.03.32 and has a CVSS 3.1 base score of 9.8, reflecting its critical severity with network attack vector, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to generate login tokens and authorization cookies for arbitrary WordPress users, enabling authentication bypass. This can lead to full compromise of affected WordPress sites running the vulnerable WebinarIgnition plugin, impacting confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the plugin's functionality where possible and monitor for unusual authentication activity. Avoid using affected versions and consider disabling the plugin if feasible until a patch is available.
CVE-2025-6441: CWE-862 Missing Authorization in tobias_conrad WebinarIgnition – Live, Automated & Evergreen Webinars for WooCommerce
Description
The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.32. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumstances, issuing authorization cookies which can lead to authentication bypass.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-6441 is a missing authorization vulnerability (CWE-862) in the WebinarIgnition plugin for WordPress, specifically in the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions. Due to the absence of capability checks, unauthenticated attackers can generate login tokens for arbitrary WordPress users, leading to authentication bypass. This vulnerability affects all versions up to 4.03.32 and has a CVSS 3.1 base score of 9.8, reflecting its critical severity with network attack vector, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to generate login tokens and authorization cookies for arbitrary WordPress users, enabling authentication bypass. This can lead to full compromise of affected WordPress sites running the vulnerable WebinarIgnition plugin, impacting confidentiality, integrity, and availability of the system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the plugin's functionality where possible and monitor for unusual authentication activity. Avoid using affected versions and consider disabling the plugin if feasible until a patch is available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-20T17:07:55.542Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6881fdd8ad5a09ad0033bee3
Added to database: 7/24/2025, 9:33:12 AM
Last enriched: 4/9/2026, 5:44:41 PM
Last updated: 5/8/2026, 4:29:25 PM
Views: 125
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.