CVE-2025-11007
Published: 04 November 2025
Summary
CVE-2025-11007 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the vulnerable AJAX endpoint, directly preventing unauthenticated attackers from updating plugin settings due to the missing capability check.
Restricts access to changes in system components like plugin API settings, mitigating unauthorized updates that enable secret key modification and admin account creation.
Applies least privilege to plugin processes and functions, limiting the scope of damage from exploited missing capability checks on critical settings updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress plugin AJAX endpoint (T1190), enabling attackers to overwrite the API secret key and subsequently create unauthorized administrator accounts (T1136.001).
NVD Description
The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's…
more
API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site.
Deeper analysisAI
CVE-2025-11007 affects the CE21 Suite plugin for WordPress, specifically versions 2.2.1 through 2.3.1. The vulnerability stems from a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action, enabling unauthorized updates to the plugin's settings. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By sending crafted requests to the vulnerable AJAX endpoint, they can modify the plugin's API settings, including the secret key used for authentication. This grants them the ability to create new administrator accounts on the affected WordPress site, potentially leading to full site compromise.
Advisories from Wordfence and the plugin's WordPress.org page provide further details on this issue. Security practitioners should refer to https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve and https://wordpress.org/plugins/ce21-suite/ for patch information and mitigation guidance, published on 2025-11-04.
Details
- CWE(s)