Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-8425

CVE-2025-8425: My WP Translate Privilege Escalation Flaw

CVE-2025-8425 is a privilege escalation vulnerability in the My WP Translate plugin for WordPress that allows subscriber-level attackers to gain administrator access. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-8425 Overview

CVE-2025-8425 is a privilege escalation vulnerability in the My WP Translate plugin for WordPress, affecting all versions up to and including 1.1. The flaw stems from a missing capability check on the ajax_import_strings() function. Authenticated attackers with Subscriber-level access or higher can update arbitrary WordPress options. Attackers leverage this primitive to set the default registration role to administrator and enable open user registration, granting themselves administrative access to the site.

Critical Impact

Any authenticated subscriber can escalate to full administrator on a vulnerable WordPress site, leading to complete site compromise.

Affected Products

  • My WP Translate plugin for WordPress, all versions up to and including 1.1
  • WordPress sites permitting Subscriber-level registration with this plugin installed
  • WordPress installations exposing the plugin's AJAX endpoints

Discovery Timeline

  • 2025-09-11 - CVE-2025-8425 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8425

Vulnerability Analysis

The vulnerability resides in the ajax_import_strings() function within the plugin's admin class. The function is registered as an AJAX action accessible to authenticated users but does not validate whether the calling user possesses an administrative capability such as manage_options. Because WordPress AJAX handlers registered under wp_ajax_ are reachable by any logged-in user, the missing check exposes administrative functionality to low-privilege accounts. This issue is categorized under [CWE-862] Missing Authorization.

Root Cause

The handler accepts import data and writes it into WordPress options via update_option() without verifying the user's role or performing a nonce-bound capability check. Capability enforcement should occur through current_user_can('manage_options') before any option write. Its absence permits any authenticated account, including Subscribers, to modify arbitrary configuration values stored in the wp_options table.

Attack Vector

An attacker first obtains Subscriber-level credentials, either through open registration or credential reuse. The attacker then issues a crafted POST request to admin-ajax.php invoking the vulnerable AJAX action and supplies import data that overwrites the default_role option to administrator and the users_can_register option to 1. The attacker subsequently registers a new account through the standard WordPress registration flow and receives administrator privileges on login. See the Wordfence Vulnerability Analysis and the WordPress Plugin Source Code for technical context.

Detection Methods for CVE-2025-8425

Indicators of Compromise

  • Unexpected changes to the default_role option set to administrator in the wp_options table
  • The users_can_register option flipped to 1 without administrator action
  • New administrator accounts created shortly after suspicious POST requests to admin-ajax.php
  • Requests to admin-ajax.php referencing the ajax_import_strings action from non-admin user sessions

Detection Strategies

  • Audit WordPress option history for changes to default_role and users_can_register
  • Review web server access logs for POST requests to /wp-admin/admin-ajax.php with the import_strings action originating from Subscriber accounts
  • Correlate user registration events with prior AJAX requests from low-privilege sessions

Monitoring Recommendations

  • Forward WordPress audit logs and web server access logs to a centralized SIEM for query and correlation
  • Alert on any modification of the default_role or users_can_register options
  • Monitor for newly created users assigned the administrator role outside of approved change windows

How to Mitigate CVE-2025-8425

Immediate Actions Required

  • Update the My WP Translate plugin to a patched version above 1.1, or deactivate and remove the plugin if no fix is available
  • Audit all WordPress user accounts and remove unauthorized administrators
  • Verify default_role is set to subscriber and users_can_register reflects intended policy
  • Reset passwords for any account showing suspicious activity and invalidate active sessions

Patch Information

At the time of NVD publication, all versions through 1.1 are affected. Administrators should consult the WordPress plugin repository for any updated release and the Wordfence advisory for fix confirmation. If no patched version exists, removal of the plugin is the recommended path.

Workarounds

  • Restrict access to /wp-admin/admin-ajax.php for unauthenticated and low-privilege sessions via a web application firewall rule targeting the import_strings action
  • Disable open user registration by setting users_can_register to 0 until the plugin is patched or removed
  • Apply the principle of least privilege and avoid assigning unnecessary Subscriber accounts on sites running the affected plugin

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne