CVE-2025-10706 Overview
CVE-2025-10706 is a missing authorization vulnerability in the Classified Pro theme for WordPress. The flaw resides in the cwp_addons_update_plugin_cb function, which lacks a capability check before processing plugin installation requests. All versions up to and including 1.0.14 are affected.
Authenticated attackers with subscriber-level access or above can install arbitrary plugins on the affected site. Installing attacker-controlled plugins can lead to remote code execution on the WordPress server. The required nonce for triggering the vulnerable path is exposed through the CubeWP Framework plugin, lowering the bar for exploitation.
Critical Impact
Subscriber-level WordPress accounts can install arbitrary plugins, enabling remote code execution against the underlying server.
Affected Products
- Classified Pro theme for WordPress, versions through 1.0.14
- WordPress sites bundling the CubeWP Framework plugin that exposes the required nonce
- Any deployment of Classified Pro that permits subscriber-level registration
Discovery Timeline
- 2025-10-16 - CVE-2025-10706 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10706
Vulnerability Analysis
The vulnerability is a Missing Authorization weakness classified as [CWE-862]. The cwp_addons_update_plugin_cb callback handles plugin installation requests but never verifies that the calling user holds the install_plugins capability. WordPress reserves this capability for administrators, yet the handler accepts requests from any authenticated user.
An attacker only needs subscriber-level credentials, which many WordPress sites grant through open registration. After authenticating, the attacker submits a plugin installation request to the AJAX endpoint. The server installs and activates the attacker-supplied plugin without further authorization checks.
Arbitrary plugin installation translates directly to remote code execution. An attacker can upload a plugin containing a web shell, backdoor, or arbitrary PHP code. Once activated, the plugin executes within the WordPress process and inherits filesystem and database access.
Root Cause
The cwp_addons_update_plugin_cb function omits a current_user_can() capability check. Authentication is verified, but authorization is not enforced. The nonce check alone is insufficient because the required nonce is rendered by the companion CubeWP Framework plugin and is accessible to low-privileged users.
Attack Vector
The attack is performed over the network against the WordPress AJAX interface. The attacker authenticates as a subscriber, retrieves the nonce exposed by the CubeWP Framework, and issues a crafted request to the plugin installation callback. The payload references an attacker-controlled plugin archive that executes arbitrary code on activation. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-10706
Indicators of Compromise
- Unexpected plugins appearing under wp-content/plugins/ that were not installed by an administrator
- AJAX requests targeting the cwp_addons_update_plugin action originating from subscriber accounts
- New PHP files with obfuscated content or eval, base64_decode, or system calls inside recently installed plugin directories
- WordPress audit log entries showing plugin installations attributed to non-administrative users
Detection Strategies
- Monitor WordPress AJAX traffic for calls to admin-ajax.php with the action=cwp_addons_update_plugin parameter from low-privileged sessions
- Inspect wp_options and the plugin directory for unauthorized additions and correlate with the originating user ID
- Enable WordPress security plugins that log capability mismatches and unexpected plugin installation events
Monitoring Recommendations
- Alert on any plugin installation event tied to a non-administrator account
- Track creation of new PHP files under wp-content/plugins/ outside of scheduled maintenance windows
- Forward web server access logs and WordPress audit logs to a centralized SIEM for correlation against subscriber-account activity
How to Mitigate CVE-2025-10706
Immediate Actions Required
- Disable the Classified Pro theme on any site running version 1.0.14 or earlier until a patched release is applied
- Audit user accounts and remove subscribers that were not created by legitimate registration flows
- Review the wp-content/plugins/ directory and remove any plugin that was not installed by an administrator
- Restrict new user registration or require administrator approval while remediation is in progress
Patch Information
No fixed version is identified in the NVD entry at publication time. Site operators should consult the ThemeForest Product Page for vendor updates and apply any release that supersedes version 1.0.14. The accompanying CubeWP Framework plugin should also be updated to the latest available build.
Workarounds
- Block requests to admin-ajax.php with action=cwp_addons_update_plugin at the web application firewall for non-administrator sessions
- Set DISALLOW_FILE_MODS to true in wp-config.php to prevent plugin installation through the WordPress UI and AJAX handlers
- Enforce least privilege by removing unused subscriber accounts and disabling open registration
# Disable plugin and theme installation/updates site-wide
# Add to wp-config.php
define( 'DISALLOW_FILE_MODS', true );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
