CVE-2019-25738

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

CRITICAL 9,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.

306

Missing Authentication for Critical Function

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Other

Potential Impacts:

Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Cloud Computing, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://labs.sucuri.net/wptf-hybrid-composer-unauthenticate…

https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-…

https://www.exploit-db.com/exploits/47154

https://www.exploit-db.com/exploits/47154

https://www.vulncheck.com/advisories/wordpress-hybrid-compo…

https://www.vulncheck.com/advisories/wordpress-hybrid-composer-unauthenticated-…

http://wordpress.framework-y.com

http://wordpress.framework-y.com

http://wordpress.framework-y.com/hybrid-composer/

http://wordpress.framework-y.com/hybrid-composer/