CVE-2025-5483

CVE-2025-5483 is a privilege escalation vulnerability in the LC Wizard plugin for WordPress, stemming from a missing capability check in the ghl-wizard/inc/wp_user.php file. It affects versions 1.2.10 through 1.3.0 of the plugin when the PRO functionality is enabled. The issue, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability over the network by leveraging the absence of capability checks to create new user accounts with administrator privileges. Exploitation requires high attack complexity, likely involving specific conditions tied to the PRO features, but no prior privileges or user interaction are needed, enabling remote compromise of affected WordPress sites.

Mitigation details are available in the plugin's official patch at https://plugins.trac.wordpress.org/changeset/3366906 and Wordfence's threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/42dcc302-b543-42c7-99fa-605f017beb1a?source=cve, which outline the fix and recommend updating to a patched version beyond 1.3.0.