WordPress Plugin Vulnerabilities

WP Foodbakery <= 4.7 - Authentication Bypass

Description

The plugin is vulnerable to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.

Affects Plugins

Plugin icon
wp-foodbakery
No known fix

References

CVE
CVE-2025-0181
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d722ec8d-bfca-4da1-8eb0-8d33735c5e44

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Tonn
Verified
No
WPVDB ID
063ce546-3dd4-44c9-bf39-90f75d459577

Timeline

Publicly Published
2025-02-10 (about 1 year ago)
Added
2025-02-11 (about 1 year ago)
Last Updated
2025-02-11 (about 1 year ago)

Other

Published
Title
Published
2020-02-06
Title
Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities
Published
2019-03-17
Title
Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import
Published
2021-12-08
Title
Registration Magic < 5.0.1.8 - Authentication Bypass
Published
2024-07-08
Title
WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 <= 1.0.1 - Improper Authorization due to use of Hardcoded Credentials
Published
2025-10-14
Title
OwnID Passwordless Login <= 1.3.4 - Authentication Bypass