CVE-2025-11007

CVE-2025-11007 affects the CE21 Suite plugin for WordPress, specifically versions 2.2.1 through 2.3.1. The vulnerability stems from a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action, enabling unauthorized updates to the plugin's settings. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By sending crafted requests to the vulnerable AJAX endpoint, they can modify the plugin's API settings, including the secret key used for authentication. This grants them the ability to create new administrator accounts on the affected WordPress site, potentially leading to full site compromise.

Advisories from Wordfence and the plugin's WordPress.org page provide further details on this issue. Security practitioners should refer to https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve and https://wordpress.org/plugins/ce21-suite/ for patch information and mitigation guidance, published on 2025-11-04.