PT-2026-46208 · Framework · Hybrid Composer
Yasin
·
Publicado
2026-06-04
·
Atualizado
2026-06-04
·
CVE-2019-25738
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc ajax save option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc ajax save option to enable user registration and set the default role to administrator, enabling account takeover.
Exploit
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Hybrid Composer