Cyber Resilience

CVE-2025-5483

High

Published: 07 November 2025

Published
07 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5483 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-5483 is a privilege escalation vulnerability in the LC Wizard plugin for WordPress, stemming from a missing capability check in the ghl-wizard/inc/wp_user.php file. It affects versions 1.2.10 through 1.3.0 of the plugin when the PRO functionality is enabled. The issue, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability over the network by leveraging the absence of capability checks to create new user accounts with administrator privileges. Exploitation requires high attack complexity, likely involving specific conditions tied to the PRO features, but no prior privileges or user interaction are needed, enabling remote compromise of affected WordPress sites.

Mitigation details are available in the plugin's official patch at https://plugins.trac.wordpress.org/changeset/3366906 and Wordfence's threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/42dcc302-b543-42c7-99fa-605f017beb1a?source=cve, which outline the fix and recommend updating to a patched version beyond 1.3.0.

EU & UK References

Vulnerability details

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the…

more

administrator role when the PRO functionality is enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enables privilege escalation (T1068) via missing authorization, directly allowing creation of local administrator accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2992Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2025-8059Shared CWE-862
CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations, addressing the missing capability check that allows unauthenticated privilege escalation to administrator accounts.

prevent

Manages system accounts to ensure only authorized entities can create privileged administrator accounts, mitigating unauthorized user creation.

prevent

Enforces least privilege principle to restrict access to administrative functions, preventing exploitation of the missing authorization check.

References