{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9544", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-08-27T13:52:12.254Z", "datePublished": "2025-10-29T06:00:06.910Z", "dateUpdated": "2026-04-02T12:39:56.346Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.346Z"}, "title": "Doppler Forms <= 2.5.1 - Subscriber+ Limited Plugin Installation", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Doppler Forms", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user \u2014 including those with the Subscriber role \u2014 can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1)."}], "references": [{"url": "https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-29T13:50:04.334477Z", "id": "CVE-2025-9544", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T13:51:20.351Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9544", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-29T13:50:04.334477Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T13:51:11.413Z"}}], "cna": {"title": "Doppler Forms <= 2.5.1 - Subscriber+ Limited Plugin Installation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Doppler Forms", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user \u2014 including those with the Subscriber role \u2014 can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.346Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9544", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:56.346Z", "dateReserved": "2025-08-27T13:52:12.254Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-10-29T06:00:06.910Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user \u2014 including those with the Subscriber role \u2014 can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1)."}], "id": "CVE-2025-9544", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-29T06:15:33.647", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:33:23.489382+00:00", "value": {"mitigation_remediation": ["Update the Doppler Forms plugin to a version newer than 2.5.1 that implements capability checks for installing extensions.", "If an immediate update is not possible, remove the install_extension AJAX action by editing the plugin or using a custom snippet to unhook it, thereby preventing unauthenticated extension installation.", "Revoke or limit Subscriber role permissions to access the Plugins administration area, ensuring only administrators can manage extensions."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized plugin installation by low\u2011privilege users"}, "threat_synthesis": {"affected_systems": "Any WordPress site running Doppler Forms version 2.5.1 or earlier is vulnerable. The exploit is limited to the plugin\u2019s extension list, but installing even a benign extension gives an attacker a foothold for further compromise.", "description_and_impact": "The Doppler Forms plugin registers an AJAX action called install_extension without checking the user\u2019s capabilities or validating a nonce. As a result, any authenticated user can trigger the action and install or activate additional plugins that are whitelisted by the plugin itself. This flaw effectively allows privilege escalation from a Subscriber role to the ability to modify the site\u2019s functionality and potentially introduce malicious code.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, yet the EPSS score of less than 1% suggests a very low chance of exploitation in the wild. The flaw is not yet listed in the CISA KEV catalog. Because the attack vector requires an authenticated user with at least Subscriber level access, the risk is confined to sites with many low\u2011privilege accounts. However, once an extension is installed, the attacker could gain elevated privileges if the extension contains a vulnerability or malicious payload."}}}}, "created": "2025-10-30T14:38:54.038782+00:00", "updated": "2026-04-27T23:45:15.882137+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-284"]}