CVE-2025-6380: 
WordPress vulnerability analysis and mitigation

The ONLYOFFICE Docs plugin for WordPress contains a Privilege Escalation vulnerability (CVE-2025-6380) affecting versions 1.1.0 to 2.2.0. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on July 24, 2025. The issue exists in the oo.callback REST endpoint due to insufficient authorization checks (NVD).

The vulnerability stems from a missing authorization mechanism within the oo.callback REST endpoint. The plugin's permission callback only validates that the supplied encrypted attachment ID corresponds to an existing attachment post but fails to verify the requester's identity or capabilities. This implementation flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to log in as arbitrary users on affected WordPress installations. Given the CVSS score of 9.8, this represents a critical security risk with potential for complete system compromise through unauthorized access (NVD).

The plugin has been temporarily closed as of July 22, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress).