216.73.217.64

CVE-2025-6038

· Published 09/10/2025 04:16 · Modified 09/10/2025 15:50

Labels: CVE-2025-6038 2025-10-09CVE-2025-6038CWE-639[email protected]

Essential information

Published
09/10/2025 04:16
Modified
09/10/2025 15:50
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including those of administrators.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
lisfinity / lisfinity core cpe:2.3:a:lisfinity:lisfinity_core:*:*:*:*:*:wordpress:*:*

References