CVE-2025-4631: 
WordPress vulnerability analysis and mitigation

The Profitori plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-4631) discovered on May 31, 2025. The vulnerability affects versions 2.0.6.0 to 2.1.1.3 and is due to a missing capability check on the stocktend_object endpoint. The plugin has been temporarily closed since May 29, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability stems from a missing capability check on the stocktendobject endpoint, which allows triggering the saveobjectasuser() function for objects with '_datatype' set to 'users'. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-285 (Improper Authorization) (NVD, Wiz).

The vulnerability allows unauthenticated attackers to write arbitrary strings directly into the user's wp_capabilities meta field. This can lead to privilege escalation, potentially allowing attackers to elevate the privileges of existing user accounts or newly created ones to administrator level (NVD).

The plugin has been temporarily closed as of May 29, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress Plugin).