PT-2025-23376 · WordPress · Offsprout Page Builder
Kenneth Dunn
·
Published
2025-05-31
·
Updated
2025-06-05
·
CVE-2025-4672
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The Offsprout Page Builder plugin for WordPress versions 2.2.1 through 2.15.2
Description
The issue is related to improper authorization in the
permission callback() function, allowing authenticated attackers with Contributor-level access and above to escalate their privileges by modifying user meta, including their own wp capabilities to gain administrator access.Recommendations
For versions 2.2.1 through 2.15.2, consider disabling the
permission callback() function until a patch is available to prevent exploitation. Restrict access to user meta to minimize the risk of privilege escalation. Avoid using the wp capabilities variable in the affected function until the issue is resolved.Fix
LPE
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Offsprout Page Builder