Cyber Resilience

CVE-2025-49388

Critical

Published: 28 August 2025

Published
28 August 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 40.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49388 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-49388 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Miraculous Core Plugin (miraculouscore) for WordPress, developed by kamleshyadav. This issue enables privilege escalation and affects all versions of the plugin from its initial release through 2.0.7.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), characterized by a network attack vector (AV:N), low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit it to escalate privileges on affected WordPress sites.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-7-privilege-escalation-vulnerability?_s_id=cve documents this plugin vulnerability, with mitigation achieved by updating to a version of the Miraculous Core Plugin newer than 2.0.7.

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing WordPress plugin for privilege escalation via incorrect privilege assignment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2024-32555Shared CWE-266
CVE-2026-32519Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the privilege escalation flaw through timely patching of the Miraculous Core Plugin.

prevent

Enforces least privilege to limit the impact of incorrect privilege assignments in the plugin, preventing effective escalation by unauthenticated attackers.

prevent

Requires enforcement of approved access authorizations, countering the plugin's improper privilege grants that enable unauthenticated escalation.

References