CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-54049

CVSS 9.9v3.1pub. 2025-08-20upd. 2026-04-23

Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP custom-api-for-wp allows Privilege Escalation.This issue affects Custom API for WP: from n/a through <= 4.2.2.

🤖 AI Analysis
How it works

The vulnerability results from improper privilege assignment (CWE-266) in the Custom API for WP plugin code in versions up to and including 4.2.2. An authenticated attacker with minimal privileges can exploit the faulty access control logic provided by the plugin to gain higher privileges than they are entitled to. The network vector (AV:N) and lack of requirements for attack complexity (AC:L) and user interaction (UI:N) make the exploit performable remotely in a simple manner.

Impact

An attacker can obtain elevated privileges within a WordPress site or environment, which in practice may mean taking full administrative control of the service, modifying content, stealing user data, or further compromising the infrastructure.

Mitigation & patch

The Custom API for WP plugin should be updated as soon as possible to a version higher than 4.2.2. Details regarding the patched version are available in the Patchstack database and the WordPress repository. If an update is not immediately possible, consider deactivating the plugin until the patch is deployed.

Who is affected

WordPress plugin 'Custom API for WP' by miniOrange in versions from n/a to 4.2.2 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
LPE
CWE
References