CVE-2025-6038: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-6038 affects the Lisfinity Core plugin used for pebas® Lisfinity WordPress theme in all versions up to and including 1.4.0. The vulnerability was discovered and disclosed on October 8, 2025, and was published to the CVE List on October 9, 2025. This security flaw is related to privilege escalation via password update functionality (NVD, Wordfence).

The vulnerability stems from improper validation of user identity prior to password updates, classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The technical assessment indicates that the vulnerability requires low attack complexity and can be exploited remotely with only low-level privileges required (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to change arbitrary user passwords, including those of administrators. This can lead to complete compromise of WordPress installations using the affected plugin. The vulnerability can also be combined with CVE-2025-6042 to achieve elevated privileges and obtain full administrative access (NVD, NVD-6042).

Users of the Lisfinity Core plugin should immediately update to a version newer than 1.4.0 if available. If an update is not available, it is recommended to disable the plugin until a patch is released, given the severity of the vulnerability (Themeforest).