WordPress is one of the most widely used website platforms, making it a prime target for cyberattacks. Its strength lies in flexibility—thousands of themes and plugins—but that same strength becomes a risk when developers overlook secure coding or access control. Even one vulnerable plugin can expose an entire website.

In May 2025, security researchers uncovered a wave of critical zero-day vulnerabilities affecting popular WordPress plugins and themes. Most of these flaws share the same CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. In simpler terms, these are remote, unauthenticated attacks that require no user interaction and can result in complete system compromise—confidential data leaks, admin account takeovers, or even complete website control.

In this post, we break down the most dangerous WordPress vulnerabilities disclosed in May 2025. We’ll also explain what makes them especially severe and how site owners can take action to stay protected.

1. CVE-2025-4631 – Profitori Plugin Privilege Escalation CVSS: 9.8 (CRITICAL)

The Profitori plugin’s stocktend_object endpoint allows unauthenticated requests to manipulate the wp_capabilities field, promoting regular users to administrators—or creating admin accounts from scratch. There is no permission check before calling save_object_as_user().

CVSS Vector Highlights:

• AV:N – The attack is fully remote; no network access or credentials are needed.
• PR:N – No privilege required; the attacker doesn't need to be logged in.
• AC:L & UI:N – No user action or elevated skill level needed.
• C:H/I:H/A:H – Confidentiality, integrity, and availability are all fully compromised. This isn’t just a hijack; it’s total site control.

View CVE


2. CVE-2025-4607 – PSW Front-End Login OTP Bypass CVSS: 9.8 (CRITICAL)

The plugin’s forget() function implements an OTP mechanism that is trivially guessable. Attackers can reset the passwords of any user, including administrators, through brute-force attacks.

CVSS Vector Highlights:

• AC:L – OTP entropy is so low that guessing it requires no special effort.
• PR:N/UI:N – No login or phishing involved. A simple POST request can reset credentials.
• I:H – The attacker gains the ability to change credentials, effectively owning the account.
• Ideal for bots – This type of vulnerability is quickly weaponized in credential-stuffing attacks.

View CVE


3. CVE-2025-5058 – eMagicOne Store Manager Arbitrary File Upload CVSS: 9.8 (CRITICAL)

By skipping MIME-type or extension checks, the set_image() function allows unauthenticated users to upload executable PHP files. Combined with the default credentials (1:1), this can lead to immediate remote code execution (RCE).
CVSS Vector Highlights:

• C:H/I:H/A:H – The attacker gains persistent backdoor access and may modify or destroy data.
• AV:N/AC:L – Execution can be automated from any remote botnet.
• RCE is the worst-case scenario – it’s game over.

View CVE


4. CVE-2025-4524 – Madara Theme Local File Inclusion (LFI) CVSS: 9.8 (CRITICAL)

A user-controlled template parameter in this popular manga theme allows attackers to include arbitrary server-side PHP files. If a malicious file is already uploaded through another vector, the LFI can be used to execute it.

CVSS Vector Highlights:

• S:U (Scope Unchanged) – Exploiting the vulnerability doesn’t require cross-component compromise.
• Chainable – When paired with an upload flaw, this LFI becomes an RCE.
• C:H/I:H – Read or execute any file on the server—especially powerful with wp-config.php or .htaccess.

View CVE


5. CVE-2025-4322 – Motors Theme Password Reset Flaw CVSS: 9.8 (CRITICAL)

This theme fails to properly validate user identity before resetting passwords. Attackers can craft requests to change any user’s password—resulting in an account takeover.

CVSS Vector Highlights:

• PR:N/UI:N – Zero barriers to entry. No login, no phishing, no social engineering.
• I:H – Total identity theft. Admin roles fall easily to this method.
• Website defacement, SEO spam, phishing kit deployment—all become trivial post-exploitation.

View CVE


6. CVE-2025-39348 – ThemeGoods Grand Restaurant Object Injection CVSS: 9.8 (CRITICAL)

This plugin accepts serialized PHP objects from unauthenticated users—opening the door to Object Injection attacks. When paired with other vulnerable plugins, this can lead to complete exploit chains using Property-Oriented Programming (POP) gadgets.

CVSS Vector Highlights:

• C:H/I:H/A:H – Depending on available classes, the impact ranges from info disclosure to full RCE.
• Silent exploitation – Often overlooked due to no visible symptoms.
• It is highly dangerous in plugin-rich environments – where many serialized objects coexist.

View CVE


7. CVEs 2025-4403, 4389, 4391 – File Upload Vulnerabilities in WooCommerce Extensions CVSS: 9.8 (CRITICAL)

These vulnerabilities allow unauthenticated file uploads without proper sanitization. Once a PHP file is uploaded, the attacker can invoke it to execute arbitrary code.

CVSS Vector Highlights:

• AV:N/AC:L/PR:N/UI:N – This attack vector is automatable at scale via bots and scripts.
• A:H – Attackers may also install ransomware payloads, destroying availability.
• WooCommerce attack surface – Makes these plugins particularly dangerous for online stores handling transactions.

CVE-2025-4403 | CVE-2025-4389 | CVE-2025-4391


8. CVE-2025-4564 – TicketBAI WooCommerce Arbitrary File Deletion
CVSS: 9.8 (CRITICAL)

Improper input validation allows unauthenticated actors to delete any file on the server. Critical files, such as wp-config.php, .htaccess, or plugin index files, can be wiped—resulting in denial of service or privilege escalation through reinstallation flows.

CVSS Vector Highlights:

• A:H – Service availability is completely compromised.
• C:H/I:H – The attacker can selectively destroy sensitive configurations and gain control after a forced reset.
• It is ideal for destructive malware campaigns or cover-ups after compromise.

View CVE

The vulnerabilities highlighted above share a hazardous profile: they are unauthenticated, remotely exploitable, and require no user interaction. This combination makes them ideal targets for attackers and especially hard to defend against without proactive security measures in place.

Why are these flaws so critical?

• Easy to Weaponize via Bots: Since no login or user action is needed, attackers can easily automate these exploits. Malicious bots constantly scan the internet for vulnerable WordPress sites and strike within hours of a flaw being published. You don’t have to be a high-profile target—any site running the vulnerable plugin or theme becomes a candidate for attack.

• Ideal for Mass Exploitation: Once attackers identify a new vulnerability, they often launch large-scale campaigns to compromise as many websites as possible. These mass attacks can quickly spiral into widespread damage across thousands of sites.

• Used in Real-World Malware Campaigns: Cybercriminals use these flaws to inject malicious code that may:

1. Redirect visitors to phishing or scam sites
2. Infect visitors with drive-by malware
3. Insert SEO spam links to manipulate search engine rankings
4. Install backdoors for persistent access
5. Exfiltrate sensitive customer or administrative data

A single vulnerable plugin or theme can result in a full server takeover, data breaches, or complete operational disruption. Beyond immediate damage, this can lead to long-term consequences such as:

• Search engine blocklisting, removing your site from Google results
• Loss of customer trust, especially if personal data is stolen
• Revenue loss from downtime, reputational harm, or cleanup costs
• Hosting provider penalties, including account suspension

Being reactive isn’t enough anymore. Many of these exploits are 0-days, meaning they’re abused before a fix is even available. That’s why proactive website security is no longer optional—it’s a business-critical necessity.

To protect your site effectively, you need continuous monitoring, regular vulnerability scanning, hardened configurations, and a fast response plan in place. Website owners who take security seriously are not only protecting their data—they’re protecting their brand, customers, and future.

Quttera’s threat intelligence and malware protection services are designed to address precisely these types of critical vulnerabilities. We offer:

• Daily malware & blackliting scans
• Uptime & DNS monitoring
• Automatic detection of malicious uploads
• Security hardening for plugin & theme configurations
• Instant alerts and incident response

Whether you're an agency managing 100 sites or a solo web admin, Quttera empowers you to secure your digital assets proactively—not reactively.

The vulnerabilities disclosed in May 2025 reinforce an apparent reality: WordPress security is only as strong as its weakest plugin when that plugin is vulnerable to unauthenticated RCE, file upload, or admin hijack; every second without protection counts.

Keep your plugins updated, audit your extensions, and ensure a dedicated security partner like Quttera protects you.