CVE-2025-49388

Critical

Published: 28 August 2025

Published

28 August 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49388 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the privilege escalation flaw through timely patching of the Miraculous Core Plugin.

AC-6 Least Privilege good match

prevent

Enforces least privilege to limit the impact of incorrect privilege assignments in the plugin, preventing effective escalation by unauthenticated attackers.

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved access authorizations, countering the plugin's improper privilege grants that enable unauthenticated escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote exploitation of public-facing WordPress plugin for privilege escalation via incorrect privilege assignment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7.

Deeper analysisAI

CVE-2025-49388 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Miraculous Core Plugin (miraculouscore) for WordPress, developed by kamleshyadav. This issue enables privilege escalation and affects all versions of the plugin from its initial release through 2.0.7.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), characterized by a network attack vector (AV:N), low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit it to escalate privileges on affected WordPress sites.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-7-privilege-escalation-vulnerability?_s_id=cve documents this plugin vulnerability, with mitigation achieved by updating to a version of the Miraculous Core Plugin newer than 2.0.7.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266

CVE-2025-44655Shared CWE-266

CVE-2026-27051Shared CWE-266

CVE-2026-23800Shared CWE-266

CVE-2026-32519Shared CWE-266

CVE-2026-32488Shared CWE-266

CVE-2026-32916Shared CWE-266

CVE-2025-68869Shared CWE-266

CVE-2024-56000Shared CWE-266

CVE-2026-23550Shared CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-7-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com