CVE-2025-8425 is a high-severity vulnerability affecting the My WP Translate plugin for WordPress, developed by MyThemeShop. The vulnerability stems from a missing authorization check (CWE-862) in the ajax_import_strings() function present in all plugin versions up to and including 1.1. Specifically, the function fails to verify whether the authenticated user has the necessary capabilities before allowing modification of translation strings. This flaw enables any authenticated user with at least Subscriber-level access to perform unauthorized modifications to arbitrary WordPress options. An attacker can exploit this by changing the default user role assigned upon new registrations to 'administrator' and enabling user registration if it was previously disabled. Consequently, the attacker can create new accounts with administrative privileges, effectively escalating their privileges from a low-level user to full site administrator without requiring any user interaction beyond authentication. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and only requires low privileges (PR:L) with no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as attackers gain full administrative control over the affected WordPress site. No public exploits are known at the time of publication, but the high CVSS score of 8.8 reflects the critical nature of this authorization bypass. No patches have been linked yet, indicating that site administrators must be vigilant for updates or apply manual mitigations. Given WordPress's widespread use and the popularity of My WP Translate, this vulnerability poses a significant risk to websites using this plugin.

For European organizations, this vulnerability could lead to severe consequences including complete site takeover, data breaches, defacement, and disruption of services hosted on WordPress platforms using the My WP Translate plugin. Attackers gaining administrative access can exfiltrate sensitive data, inject malicious code, or disrupt business operations. This is particularly critical for organizations relying on WordPress for customer-facing websites, e-commerce, or internal portals. The ability to escalate privileges from a low-level user means that even compromised or low-trust accounts can be leveraged for full control, increasing the attack surface. Given the GDPR and other stringent data protection regulations in Europe, exploitation could result in regulatory penalties, reputational damage, and loss of customer trust. Additionally, the lack of user interaction requirement facilitates automated exploitation, increasing the likelihood of widespread attacks once exploit code becomes available.

1. Immediate mitigation involves restricting user roles and permissions to the minimum necessary, especially limiting Subscriber-level users from accessing or interacting with the My WP Translate plugin functionalities. 2. Disable user registration temporarily if not required, to prevent attackers from creating new administrator accounts. 3. Monitor WordPress option changes and audit logs for suspicious modifications, particularly changes to default user roles and registration settings. 4. Apply principle of least privilege to all users and review plugin usage to determine if My WP Translate is essential; consider disabling or uninstalling the plugin until a patch is released. 5. Implement Web Application Firewall (WAF) rules to detect and block unauthorized AJAX requests targeting ajax_import_strings() or similar endpoints. 6. Stay alert for official patches or updates from MyThemeShop and apply them promptly once available. 7. Conduct regular security assessments and penetration testing focusing on WordPress plugins and user privilege escalation vectors. 8. Educate site administrators and users about the risks of privilege escalation and the importance of strong authentication and access controls.