Critical severity9.8NVD Advisory· Published Jun 13, 2025· Updated Apr 15, 2026

CVE-2025-5288

Description

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/import-export-with-custom-rest-api/tags/2.0.3/backend/methods/wot-rapi-import-functions.phpnvd
wordpress.org/plugins/import-export-with-custom-rest-api/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/0e2774fc-f028-436c-a8af-3c17378b9743nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000