CVE-2025-27270
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-27270 is a missing authorization vulnerability (CWE-862) in the Residential Address Detection WordPress plugin by enituretechnology. The flaw allows privilege escalation through arbitrary option updates and affects all versions from n/a through 2.5.4. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables privilege escalation by updating arbitrary plugin options, potentially granting elevated access within the affected WordPress installation.
The Patchstack advisory provides details on this WordPress plugin vulnerability, including the arbitrary option update leading to privilege escalation; security practitioners should consult it for assessment and mitigation guidance at https://patchstack.com/database/Wordpress/Plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-4-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing WordPress plugin allowing unauthenticated remote attackers to perform arbitrary option updates leading directly to privilege escalation.