Cyber Resilience

CVE-2025-27270

Critical

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27270 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27270 is a missing authorization vulnerability (CWE-862) in the Residential Address Detection WordPress plugin by enituretechnology. The flaw allows privilege escalation through arbitrary option updates and affects all versions from n/a through 2.5.4. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables privilege escalation by updating arbitrary plugin options, potentially granting elevated access within the affected WordPress installation.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including the arbitrary option update leading to privilege escalation; security practitioners should consult it for assessment and mitigation guidance at https://patchstack.com/database/Wordpress/Plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-4-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Privilege Escalation.This issue affects Residential Address Detection: from n/a through <= 2.5.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a missing authorization flaw in a public-facing WordPress plugin allowing unauthenticated remote attackers to perform arbitrary option updates leading directly to privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2026-6510Shared CWE-862
CVE-2026-0974Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, directly preventing unauthenticated attackers from performing arbitrary option updates leading to privilege escalation.

prevent

Requires timely identification, reporting, and remediation of the specific missing authorization flaw in the plugin, eliminating the vulnerability.

prevent

Limits the scope and impact of any successful privilege escalation by ensuring users and processes operate with minimal necessary privileges.

References