Residential Address Detection < 2.5.5 – Unauthenticated Arbitrary Options Update | CVE 2025-27270 | Plugin Vulnerabilities

Description

The Residential Address Detection plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on a function in all versions up to, and including, 2.5.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

residential-address-detection

Fixed in 2.5.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/19c824ce-40e2-44fb-a356-6a02bd13cc67

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

6a75296e-bda2-4215-addc-6c744a606ff0

Timeline

Publicly Published

2025-02-21 (about 1 year ago)

Added

2025-03-03 (about 1 year ago)

Last Updated

2025-03-03 (about 1 year ago)

Other

Published

Title

Published

2024-04-09

Title

Soledad < 8.4.6 - Missing Authorization

Published

2024-12-11

Title

WPCargo Track & Trace <= 8.0.2 - Subscriber+ Settings Update

Published

2023-11-20

Title

Perfmatters < 2.1.7 - Missing Authorization

Published

2024-04-12

Title

Pardot < 2.1.1 - Missing Authorization

Published

2026-03-12

Title

Formidable Forms < 6.29 - Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse