CVE-2025-5814
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Author Request), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the "Profiler" page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.0.0
Patches
Vulnerability mechanics
Root cause
"Missing authorization check in wpsd_plugin_control() allows unauthenticated plugin reactivation."
Attack vector
An unauthenticated attacker sends a crafted HTTP GET request to the WordPress installation with the `wpsd` parameter set to `2` and a `plugin` parameter naming a previously deactivated plugin. Because `wpsd_plugin_control()` performs no authorization check [CWE-862], the function calls `update_option('active_plugins', $wpsd_backup_active_plugins)` to reactivate the plugin. The only prerequisite is that the attacker can reach the 'Profiler' page endpoint.
Affected code
The vulnerable function `wpsd_plugin_control()` in `actions.php` (line 31) lacks any capability or nonce check, allowing unauthenticated callers to enable or disable arbitrary plugins via the `wpsd` and `plugin` GET parameters.
What the fix does
The advisory does not include a published patch. To remediate, the `wpsd_plugin_control()` function must be protected by a capability check (e.g. `current_user_can('activate_plugins')`) and a nonce verification to ensure only authenticated administrators can enable or disable plugins.
Preconditions
- networkAttacker must be able to send HTTP GET requests to the WordPress site (no authentication required).
- configThe 'Profiler' page endpoint must be accessible (the plugin must be installed and active).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.