CVE-2025-4672: 
WordPress vulnerability analysis and mitigation

The Offsprout Page Builder plugin for WordPress contains a Privilege Escalation vulnerability (CVE-2025-4672) discovered on May 30, 2025. The vulnerability affects versions 2.2.1 through 2.15.2 and is caused by improper authorization in the permission_callback() function. The plugin has been temporarily closed since May 29, 2025, pending a full security review (NVD, Wiz).

The vulnerability stems from improper authorization controls in the permission_callback() function, which allows authenticated users with Contributor-level access or higher to manipulate user meta data through the WordPress REST API. The vulnerability has been assigned CWE-285 (Improper Authorization) and received a CVSS v3.1 score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Wiz).

The vulnerability allows authenticated attackers with Contributor-level access or higher to read, create, update, or delete any user meta data. Most critically, attackers can modify their own wp_capabilities to escalate their privileges to administrator level, effectively gaining full control over the WordPress site (Wiz).

The plugin has been temporarily closed as of May 29, 2025, pending a full security review. Site administrators using affected versions should consider disabling the plugin until a patched version is released. Additionally, reviewing user roles and permissions is recommended to identify any potentially compromised accounts (WordPress Plugin).