WordPress Plugin Vulnerabilities

Miraculous Core < 2.0.8 - Unauthenticated Privilege Escalation

Description

The plugin is vulnerable to Privilege Escalation. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
miraculouscore
Fixed in 2.0.8

References

CVE
CVE-2025-49388
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8e9153-d84d-4510-9cc7-d24e56fd01db

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
0xd4rk5id3
Verified
No
WPVDB ID
38585c08-ad9b-4bb9-b1ab-38bd8ec59a4a

Timeline

Publicly Published
2025-08-21 (about 7 months ago)
Added
2025-08-26 (about 7 months ago)
Last Updated
2025-08-26 (about 7 months ago)

Other

Published
Title
Published
2026-03-20
Title
App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter
Published
2026-03-20
Title
RewardsWP < 1.0.5 - Unauthenticated Privilege Escalation
Published
2025-11-26
Title
FindAll Listing < 1.1 - Unauthenticated Privilege Escalation
Published
2024-02-17
Title
Login as User or Customer <= 3.8 - Admin Account Takeover
Published
2024-04-23
Title
Booking Ultra Pro < 1.1.13 - Authenticated (Contributor+) Privilege Escalation