Cyber Posture

CVE-2025-27270

Critical

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27270 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations, directly preventing unauthenticated attackers from performing arbitrary option updates leading to privilege escalation.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of the specific missing authorization flaw in the plugin, eliminating the vulnerability.

AC-6 Least Privilege partial match
prevent

Limits the scope and impact of any successful privilege escalation by ensuring users and processes operate with minimal necessary privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is a missing authorization flaw in a public-facing WordPress plugin allowing unauthenticated remote attackers to perform arbitrary option updates leading directly to privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Privilege Escalation.This issue affects Residential Address Detection: from n/a through <= 2.5.4.

Deeper analysisAI

CVE-2025-27270 is a missing authorization vulnerability (CWE-862) in the Residential Address Detection WordPress plugin by enituretechnology. The flaw allows privilege escalation through arbitrary option updates and affects all versions from n/a through 2.5.4. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables privilege escalation by updating arbitrary plugin options, potentially granting elevated access within the affected WordPress installation.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including the arbitrary option update leading to privilege escalation; security practitioners should consult it for assessment and mitigation guidance at https://patchstack.com/database/Wordpress/Plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-4-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-862

CVEs Like This One

CVE-2026-22683Shared CWE-862
CVE-2026-41454Shared CWE-862
CVE-2025-67967Shared CWE-862
CVE-2025-12158Shared CWE-862
CVE-2024-13232Shared CWE-862
CVE-2026-28515Shared CWE-862
CVE-2026-0511Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2026-0974Shared CWE-862

References