Wiz
Vulnerability DatabaseCVE-2025-5701

CVE-2025-5701
WordPress vulnerability analysis and mitigation

Overview

The HyperComments plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-5701) discovered in all versions up to and including 1.2.2. The vulnerability stems from a missing capability check on the hcrequesthandler function, which allows unauthenticated attackers to update arbitrary options on WordPress sites (NVD).

Technical details

The vulnerability is caused by insufficient authorization controls in the plugin's hcrequesthandler function. The CVSS v3.1 base score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the highest severity level. The weakness is classified as CWE-862: Missing Authorization (Wordfence).

Impact

If exploited, attackers can update arbitrary WordPress site options, including the ability to modify the default role for new user registrations to administrator and enable user registration. This allows attackers to create new administrator accounts and gain full control over vulnerable sites (NVD).

Mitigation and workarounds

Site administrators running affected versions of the HyperComments plugin should immediately update to a version newer than 1.2.2 when available. Until a patch is released, it is recommended to disable or remove the plugin to prevent potential exploitation (NVD).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo