CVE-2025-11855: 
WordPress vulnerability analysis and mitigation

CVE-2025-11855 affects the age-restriction WordPress plugin through version 3.0.2. The vulnerability was discovered and disclosed on November 11, 2025, by security researcher Khaled Alenazi (Nxploited). The vulnerability exists in the age_restrictionRemoteSupportRequest function which lacks proper authorization controls (WPScan).

The vulnerability stems from missing authorization checks in the age_restrictionRemoteSupportRequest function. This security flaw has been assigned a CVSS score of 7.5 (High), indicating significant severity. The vulnerability is classified as a Privilege Escalation issue (CWE-269) and falls under the OWASP Top 10 category of Broken Authentication and Session Management (WPScan).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscriber-level access, to create an administrative user account with a hardcoded username and arbitrary password. This effectively enables privilege escalation to administrative access, giving attackers full control over the WordPress installation (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators running the affected versions of the age-restriction plugin should consider either removing the plugin or implementing additional security controls to restrict access to the vulnerable functionality (WPScan).