The vulnerability identified as CVE-2025-8425 affects the My WP Translate plugin for WordPress, specifically versions up to and including 1.1. The root cause is a missing capability check in the ajax_import_strings() function, which is responsible for importing translation strings via AJAX requests. This lack of authorization verification allows any authenticated user with at least Subscriber-level privileges to invoke this function and modify arbitrary WordPress options. Attackers can exploit this to change critical site settings, such as the default role assigned to new users, setting it to administrator, and enabling user registration. Consequently, attackers can create new administrative accounts without legitimate authorization, leading to full site compromise. The vulnerability is remotely exploitable without user interaction beyond authentication, and the CVSS v3.1 score is 8.8 (high), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. No patches are currently linked, so mitigation requires immediate attention. The vulnerability is classified under CWE-862 (Missing Authorization), highlighting the failure to enforce proper access controls on sensitive functions.

This vulnerability poses a critical risk to organizations using the My WP Translate plugin on WordPress sites. Successful exploitation results in privilege escalation from low-level authenticated users to full administrative control, enabling attackers to manipulate site content, install malicious plugins, steal sensitive data, or disrupt site operations. The ability to create administrative accounts undermines all security controls and can lead to persistent backdoors and widespread compromise. Given WordPress's widespread use globally, this vulnerability can affect a large number of websites, including corporate, governmental, and e-commerce platforms. The impact extends to loss of data confidentiality, integrity breaches through unauthorized changes, and availability issues if attackers disable or deface sites. The absence of known exploits in the wild does not reduce the urgency, as the vulnerability is straightforward to exploit once authenticated, and many WordPress sites allow user registration or have multiple users with Subscriber-level access.

1. Immediately update the My WP Translate plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict user registration and limit Subscriber-level access to trusted users only. 3. Implement web application firewall (WAF) rules to block unauthorized AJAX requests targeting ajax_import_strings() or similar plugin endpoints. 4. Regularly audit user roles and permissions to detect unauthorized changes, especially the default role for new registrations. 5. Monitor WordPress logs for suspicious activity related to option updates or new administrator account creations. 6. Disable or remove the My WP Translate plugin if it is not essential to reduce the attack surface. 7. Employ multi-factor authentication (MFA) for all administrative accounts to mitigate the impact of compromised credentials. 8. Harden WordPress installations by disabling XML-RPC and other unnecessary services that could facilitate exploitation. 9. Educate site administrators about this vulnerability and encourage immediate action to prevent exploitation.