CVE-2025-5304: 
WordPress vulnerability analysis and mitigation

The PT Project Notebooks plugin for WordPress (versions 1.0.0 through 1.1.3) contains a critical privilege escalation vulnerability identified as CVE-2025-5304. The vulnerability stems from missing authorization checks in the wpnbptonewusersadd() function, which allows unauthenticated attackers to elevate their privileges to administrator level. This vulnerability was discovered by researcher kr0d and was publicly disclosed on June 27, 2025 (NVD, Wiz).

The vulnerability is caused by insufficient authorization checks in the wpnbptonewusersadd() function within the plugin's admin settings component. The function is exposed through WordPress AJAX endpoints and lacks proper authentication verification. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), indicating the highest severity level, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-862: Missing Authorization (Wordfence).

The vulnerability allows unauthenticated attackers to gain administrator-level privileges on affected WordPress installations. This level of access permits complete control over the WordPress site, including the ability to modify content, install or remove plugins and themes, manage users, and potentially execute arbitrary code on the server (NVD).

The plugin has been temporarily closed and is not available for download as of June 26, 2025, pending a full security review. Site administrators running affected versions should immediately disable the plugin until a patched version becomes available (WordPress Plugin).