CVE-2025-6380

Name of the Vulnerable Software and Affected Versions ONLYOFFICE Docs plugin for WordPress versions 1.1.0 through 2.2.0

Description The ONLYOFFICE Docs plugin for WordPress is susceptible to a privilege escalation issue due to insufficient authorization checks within the oo.callback REST endpoint. The plugin’s permission callback verifies the existence of an attachment post based on an encrypted attachment ID, but fails to validate the identity or capabilities of the requester. This allows unauthenticated attackers to impersonate arbitrary users.

Recommendations ONLYOFFICE Docs plugin for WordPress version 1.1.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.2.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.4.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.5.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.6.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.7.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.8.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 1.9.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 2.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 2.1.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ONLYOFFICE Docs plugin for WordPress version 2.2.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.