Demo Importer Plus < 2.0.9 – Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation | CVE 2025-14364 | Plugin Vulnerabilities

Description

The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.

Affects Plugins

demo-importer-plus

Fixed in 2.0.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ff9364a9-18f8-47d3-b992-e39c8d99d6ea

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

97788bbe-c605-453d-9343-235d9c851911

Timeline

Publicly Published

2025-12-17 (about 5 months ago)

Added

2025-12-17 (about 5 months ago)

Last Updated

2025-12-18 (about 5 months ago)

Other

Published

Title

Published

2026-05-04

Title

GeekyBot < 1.2.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action

Published

2026-05-07

Title

Royal Elementor Addons < 1.7.1053 - Unauthenticated Missing Authorization

Published

2025-12-31

Title

Criptopayer for Elementor <= 1.0.1 - Missing Authorization

Published

2025-07-08

Title

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.17 - Missing Authorization to Unauthenticated Plugin Settings Modification

Published

2025-03-28

Title

Clear Sucuri Cache <= 1.4 - Missing Authorization