CVE-2025-5288

Name of the Vulnerable Software and Affected Versions REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress versions 1.0.0 through 2.0.3

Description The issue is related to a missing capability check on the process handler() function, allowing unauthenticated attackers to escalate privileges. This can be achieved by sending a POST request with an arbitrary import api URL and specially crafted JSON data, resulting in the creation of a new user with full Administrator privileges.

Recommendations For versions 1.0.0 through 2.0.3, consider disabling the process handler() function until a patch is available to prevent unauthenticated privilege escalation. Restrict access to the import API endpoint to minimize the risk of exploitation. Avoid using the import api URL in the affected API endpoint until the issue is resolved.