CVE-2025-5304

The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/project-notebooks/tags/1.1.3/includes/structure/admin/pto_admin_settings.php#L233
https://plugins.trac.wordpress.org/browser/project-notebooks/tags/1.1.3/includes/structure/admin/pto_admin_settings.php#L36
https://wordpress.org/plugins/project-notebooks/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/552ec9fc-5bff-4bee-be04-39892c89cd59?source=cve

Configurations

No configuration.

History

30 Jun 2025, 18:38

Type	Values Removed	Values Added
Summary		(es) El complemento PT Project Notebooks para WordPress es vulnerable a la escalada de privilegios debido a la falta de autorización en la función wpnb_pto_new_users_add() en las versiones 1.0.0 a 1.1.3. Esto permite que atacantes no autenticados eleven sus privilegios a los de administrador.

28 Jun 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-28 06:15

Updated : 2025-06-30 18:38

NVD link : CVE-2025-5304

Mitre link : CVE-2025-5304

CVE.ORG link : CVE-2025-5304

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

9.8 /10