PT-2025-41355 · WordPress · Lisfinity Core
Alyudin Nafiie
·
Published
2025-10-09
·
Updated
2025-10-15
·
CVE-2025-6038
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lisfinity Core plugin for WordPress versions prior to 1.4.1
Description
The Lisfinity Core plugin for WordPress is susceptible to privilege escalation. An authenticated attacker with Subscriber-level access or higher can modify passwords for any user, including administrators. This occurs because the plugin does not adequately verify a user’s identity before allowing password updates. The vulnerable component is the password update functionality.
Recommendations
Update the Lisfinity Core plugin to version 1.4.1 or later.
Fix
LPE
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lisfinity Core