CVE-2025-2815: 
WordPress vulnerability analysis and mitigation

The Administrator Z plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-2815) discovered on March 28, 2025. The vulnerability exists in all versions up to and including 2025.03.24 due to a missing capability check in the adminzimportbackup() function. This security flaw affects WordPress installations with the Administrator Z plugin installed (NVD).

The vulnerability stems from a missing capability check in the adminzimportbackup() function, which allows authenticated users with Subscriber-level access or higher to update arbitrary options on the WordPress site. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-862: Missing Authorization (NVD).

The vulnerability allows authenticated attackers to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for new user registrations to administrator and enable user registration, effectively gaining administrative access to the vulnerable site (NVD).

Site administrators should immediately update the Administrator Z plugin to versions newer than 2025.03.24. If an update is not available, it is recommended to disable the plugin until a patched version is released (NVD).