CVE-2025-29004
Published: 06 January 2026
Summary
CVE-2025-29004 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces the principle of least privilege, directly mitigating privilege escalation from low-privilege roles like subscriber or contributor exploited in this WordPress plugin vulnerability.
Mandates enforcement of approved access authorizations, countering the plugin's failure to properly validate and restrict privilege escalations.
Establishes account management processes including privilege reviews, preventing incorrect assignments and enabling detection of anomalous escalations in the vulnerable plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables authenticated privilege escalation from low-privileged WordPress roles to admin via incorrect privilege assignment in the plugin.
NVD Description
Incorrect Privilege Assignment vulnerability in AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress wordpress-flat-countdown allows Privilege Escalation.This issue affects Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through <= 3.0.
Deeper analysisAI
CVE-2025-29004 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the WordPress plugin Responsive Coming Soon Landing Page / Holding Page for WordPress (wordpress-flat-countdown) developed by AA-Team. It enables privilege escalation and affects all versions from n/a through 3.0. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
An attacker with low-privilege access, such as a subscriber or contributor role on a vulnerable WordPress site, can exploit this issue remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to escalate privileges, potentially gaining administrative control over the site, which could lead to full compromise including data theft, modification of site content, or deployment of further malware.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve provides details on this vulnerability, including recommended mitigations such as updating to a patched version if available or applying virtual patching through services like Patchstack. Security practitioners should verify the plugin's update status and restrict low-privilege user capabilities where possible.
Details
- CWE(s)