{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10299", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T20:55:54.797Z", "datePublished": "2025-10-15T08:25:55.167Z", "dateUpdated": "2026-04-08T16:52:22.410Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:22.410Z"}, "affected": [{"vendor": "hakik", "product": "Bifr\u00f6st \u2013 Instant Passwordless Temporary Login Links", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those."}], "title": "WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50946bc7-8d31-4376-bdcc-de7aad700503?source=cve"}, {"url": "https://wordpress.org/plugins/create-temporary-login/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379010%40create-temporary-login&new=3379010%40create-temporary-login&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-14T19:59:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T14:44:44.020499Z", "id": "CVE-2025-10299", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:45:52.224Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10299", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-15T14:44:44.020499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:45:33.059Z"}}], "cna": {"title": "WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "hakik", "product": "WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:59:32.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50946bc7-8d31-4376-bdcc-de7aad700503?source=cve"}, {"url": "https://wordpress.org/plugins/create-temporary-login/"}], "descriptions": [{"lang": "en", "value": "The WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-15T08:25:55.167Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10299", "state": "PUBLISHED", "dateUpdated": "2025-10-15T14:45:52.224Z", "dateReserved": "2025-09-11T20:55:54.797Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:25:55.167Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those."}], "id": "CVE-2025-10299", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:39.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379010%40create-temporary-login&new=3379010%40create-temporary-login&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/create-temporary-login/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50946bc7-8d31-4376-bdcc-de7aad700503?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:06:41.942530+00:00", "value": {"mitigation_remediation": ["Upgrade the Bifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin to a version that includes the authorization fix (any release newer than 1.0.7).", "If an immediate upgrade is not possible, temporarily disable or remove the ctl_create_link AJAX action by adding a custom code snippet that blocks the endpoint or by disabling the plugin entirely.", "Audit existing user accounts for unauthorized administrative accounts that may have been created and remove or remediate them.", "Tighten user role management to ensure that only trusted users have Subscriber or higher privileges, and monitor login logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation \u2013 creation of administrative accounts"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Bifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin installed with version 1.0.7 or earlier. The flaw applies to all supported versions up to and including 1.0.7. Sites using newer releases are not affected.", "description_and_impact": "The Bifr\u00f6st \u2013 Instant Passwordless Temporary Login Links plugin for WordPress contains a missing capability check on the ctl_create_link AJAX action. Because of this flaw, any authenticated user with Subscriber-level access or higher can invoke the action to create new administrative accounts. The attacker can then log in as those users, resulting in privilege escalation and full control over the site. This vulnerability is categorized as CWE\u2011862, Missing Authorization.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high risk. The EPSS score of less than 1% suggests that the probability of exploitation observed in the environment is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, exploitation requires only an existing authenticated user with Subscriber or higher privileges, so an attacker can simply send a crafted request to the ctl_create_link endpoint to create an admin account. Once an administrative account is created, the attacker can authenticate as that user and gain full control. Because the attack vector is internal but does not require elevated permissions beyond a subscriber, the vulnerability is easily exploitable by any logged\u2011in user on the site."}}}}, "created": "2025-10-21T09:41:08.602621+00:00", "updated": "2026-04-22T13:15:17.844106+00:00", "vendors": ["hakik", "hakik$PRODUCT$wpbifrost", "wordpress", "wordpress$PRODUCT$wordpress"]}