PT-2025-23371 · WordPress · Wp-Geometa
Kenneth Dunn
·
Published
2025-05-31
·
Updated
2025-06-05
·
CVE-2025-4103
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WP-GeoMeta plugin for WordPress versions 0.3.4 through 0.3.5
Description
The issue is related to a missing capability check on the
wp ajax wpgm start geojson import() function, allowing authenticated attackers with Subscriber-level access and above to elevate their privileges to that of an administrator.Recommendations
For WP-GeoMeta plugin for WordPress versions 0.3.4 through 0.3.5, consider disabling the
wp ajax wpgm start geojson import() function until a patch is available to prevent privilege escalation.Fix
LPE
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp-Geometa