CVE-2025-0180

Critical

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.7. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.

Security Summary

CVE-2025-0180 is a privilege escalation vulnerability in the WP Foodbakery plugin for WordPress, affecting all versions up to and including 4.7. The flaw stems from the plugin not properly restricting what user meta can be updated during profile registration, published on 2025-02-11 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-269.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By registering a new profile, they can modify user meta to gain administrator privileges, potentially achieving full site compromise including high impacts on confidentiality, integrity, and availability.

Advisories provide further details on the issue, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/d7140a6e-a528-428e-850e-5e4a481c5d7d?source=cve and the plugin listing on ThemeForest at https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331.

Details

CWE(s): CWE-269

References

https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7140a6e-a528-428e-850e-5e4a481c5d7d?source=cve
security@wordfence.com