{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5060", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-21T15:10:04.708Z", "datePublished": "2025-08-23T06:43:36.291Z", "dateUpdated": "2026-04-08T17:21:17.089Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:17.089Z"}, "affected": [{"vendor": "Bravis-Themes", "product": "Bravis User", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email."}], "title": "Bravis User <= 1.0.1 - Authentication Bypass to Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52f1a-2203-4abe-b777-064bd6fd1714?source=cve"}, {"url": "https://themeforest.net/item/graviton-construction-wordpress-theme/50429299"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "timeline": [{"time": "2025-08-22T18:31:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T18:15:55.195749Z", "id": "CVE-2025-5060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T18:16:08.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-25T18:15:55.195749Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T18:16:04.986Z"}}], "cna": {"title": "Bravis User <= 1.0.1 - Authentication Bypass to Account Takeover", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Bravis-Themes", "product": "Bravis User", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T18:31:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52f1a-2203-4abe-b777-064bd6fd1714?source=cve"}, {"url": "https://themeforest.net/item/graviton-construction-wordpress-theme/50429299"}], "descriptions": [{"lang": "en", "value": "The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:17.089Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5060", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:17.089Z", "dateReserved": "2025-05-21T15:10:04.708Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T06:43:36.291Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email."}, {"lang": "es", "value": "El complemento Bravis User para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 1.0.0 incluida. Esto se debe a que el complemento no inicia sesi\u00f3n correctamente con los datos previamente verificados mediante facebook_ajax_login_callback(). Esto permite que atacantes no autenticados inicien sesi\u00f3n como usuarios administrativos, siempre que tengan una cuenta en el sitio y acceso al correo electr\u00f3nico del usuario administrativo."}], "id": "CVE-2025-5060", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T07:15:31.953", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/graviton-construction-wordpress-theme/50429299"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52f1a-2203-4abe-b777-064bd6fd1714?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:22:42.298457+00:00", "value": {"mitigation_remediation": ["Upgrade the Bravis User plugin to the latest release that addresses the authentication logic flaw.", "If an upgrade cannot be performed immediately, disable the Facebook login feature or enforce a re\u2011authentication step before granting admin privileges.", "Implement multi\u2011factor authentication for all administrative accounts and enforce strong, unique passwords to reduce the risk of credential compromise."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass to Account Takeover"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Bravis User plugin version 1.0.1 or earlier are affected. The vulnerability is specific to the Bravis-Themes packaging of the Bravis User plugin and does not impact newer releases beyond 1.0.1.", "description_and_impact": "The Bravis User WordPress plugin allows unauthenticated attackers to bypass login authentication because the plugin fails to record a user session after processing a Facebook login callback. Based on the description, it is inferred that the attack vector is the publicly accessible Facebook login callback endpoint, which accepts the attacker\u2011supplied authentication data without proper session establishment. Once an attacker provides the email address of an existing administrative account, the callback accepts the authentication data and grants administrative privileges without enforcing a fresh session. This results in a full account takeover that could compromise site content, user data, and configuration.", "risk_and_exploitability": "The flaw has a CVSS score of 8.1, indicating high severity, but the EPSS score is below 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting current exploitation likelihood is low. Nonetheless, the attack requires knowledge of an administrative email address and agreement to a social login, which can be obtained through phishing or data leaks. Once those prerequisites are met, an attacker can remotely gain full administrative control of the site."}}}}, "created": "2025-08-23T17:27:23.670090+00:00", "updated": "2026-04-21T03:30:26.334280+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}