CVE-2025-11855

The Age Restriction WordPress plugin through version 3.0.2 contains a privilege escalation vulnerability in the age_restrictionRemoteSupportRequest function. The function lacks proper authorization checks, meaning any authenticated user, regardless of their role, can call it. This includes low-privilege users such as subscribers [1].

An attacker who is already authenticated to the WordPress site (e.g., as a subscriber) can exploit this missing authorization to create a new administrative user. The function creates an admin user with a hardcoded username and an arbitrary password supplied by the attacker. No additional privileges or nonce checks are required [1].

Successful exploitation grants the attacker full compromise of the WordPress site. The attacker gains full control over the WordPress site, including the ability to modify content, install plugins, and change settings. This can lead to further attacks such as site defacement, data theft, or using the site as a pivot to other systems [1].

As of the publication date, no fix is available. The plugin is marked as having no known fix, and users are advised to remove or replace it with an alternative or restrict access to the vulnerable function until a patch is released [1].