CVE-2025-6388

CVE-2025-6388 is an authentication bypass vulnerability affecting the Spirit Framework plugin for WordPress in all versions up to and including 1.2.14. The issue stems from the custom_actions() function, which fails to properly validate a user's identity before authenticating them to the site. This flaw, classified under CWE-288, has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By knowing an administrator's username, attackers can log in as any user, including administrators, gaining full control over the affected WordPress site. This enables actions such as data exfiltration, modification of site content, or further compromise of the environment.

Advisories from Wordfence and the plugin developer's changelog at themespirit.com/talemy-changelog/ provide details on mitigation, including recommendations to update to a patched version beyond 1.2.14 where available. Security practitioners should immediately review installations of the Spirit Framework plugin and apply updates or remove it if no patch exists.