{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11855", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-10-16T13:04:43.871Z", "datePublished": "2025-11-11T06:00:08.010Z", "dateUpdated": "2026-04-02T12:39:51.658Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.658Z"}, "title": "Age Restriction <= 3.0.2 - Subscriber+ Privilege Escalation", "problemTypes": [{"descriptions": [{"description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "age-restriction", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password."}], "references": [{"url": "https://wpscan.com/vulnerability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T21:27:53.545300Z", "id": "CVE-2025-11855", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T18:02:50.228Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11855", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-12T21:27:53.545300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T21:28:12.005Z"}}], "cna": {"title": "Age Restriction <= 3.0.2 - Subscriber+ Privilege Escalation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "age-restriction", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.658Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11855", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:51.658Z", "dateReserved": "2025-10-16T13:04:43.871Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-11-11T06:00:08.010Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password."}], "id": "CVE-2025-11855", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-11T06:15:35.000", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/1a16440e-817f-4ec2-9c70-261f6b63fb8a/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:53:09.700412+00:00", "value": {"mitigation_remediation": ["Upgrade the Age Restriction plugin to version\u202f3.0.3 or later, which patches the missing authorization check.", "If immediate upgrade is not possible, temporarily deactivate the plugin or delete the age_restrictionRemoteSupportRequest exposure until the patch is deployed.", "Restrict the ability for non\u2011administrator roles to access the function by removing the corresponding capability or applying a capability filter."], "summary": {"action": "Update Plugin", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress Age Restriction plugin, versions up to and including 3.0.2. Users running this plugin on any WordPress environment\u2014regardless of hosting provider or host platform\u2014are at risk. No vendor name was provided, so the plugin is identified by its public name, Age Restriction.", "description_and_impact": "The vulnerability resides in the WordPress Age Restriction plugin version 3.0.2 and earlier. The function age_restrictionRemoteSupportRequest lacks proper authorization checks, permitting any authenticated user\u2014including subscribers\u2014to invoke it. By calling this endpoint the user can create a new administrator account with a hardcoded username and a password chosen at the time of creation. This allows a low\u2011privileged authenticated user to obtain full administrative rights over the WordPress installation, compromising confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high\u2011severity vulnerability that allows remote privileged escalation. The EPSS score is below 1\u202f%, suggesting that active exploitation is unlikely at present and it is not listed in the CISA KEV catalog. However, the attack requires only authenticated access; anyone with subscriber privileges can exploit it by triggering the vulnerable function. Because the abuse creates an administrator account, the impact is total control over the WordPress installation. Attackers could use existing login credentials to execute the exploit, making it a straightforward privilege escalation and thus a notable risk for sites with many subscriber users."}}}}, "created": "2025-11-12T12:42:40.702663+00:00", "updated": "2026-04-27T23:00:13.982389+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-284", "CWE-285"]}