CVE-2025-7695
Published: 24 July 2025
Summary
CVE-2025-7695 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to resources, directly addressing the missing authorization checks in the reset_password_link endpoint that allow any authenticated user to target administrator accounts.
AC-6 enforces the principle of least privilege, preventing Subscriber-level users from performing privilege-escalating actions like generating password reset links for administrators.
AC-2 mandates proper account management including authorization of account changes and reviews, mitigating unauthorized password resets that enable account hijacking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in password reset endpoint directly enables authenticated privilege escalation to admin via account hijacking.
NVD Description
The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user,…
more
and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.
Deeper analysisAI
CVE-2025-7695 is a privilege escalation vulnerability in the Dataverse Integration plugin for WordPress, affecting versions 2.77 through 2.81. The issue stems from missing authorization checks in the reset_password_link REST endpoint, where the handler accepts a client-supplied user identifier such as an ID, email, or login, looks up the corresponding user, and unconditionally calls get_password_reset_key(). The endpoint only verifies that the caller is authenticated, without confirming ownership or edit permissions for the target account. This flaw is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).
An attacker with Subscriber-level access or higher, who is already authenticated to the WordPress site, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a crafted request to the reset_password_link endpoint with an administrator's user details, the attacker obtains a valid password reset link for that account. This enables full account hijacking, potentially granting the attacker administrative privileges on the site.
References include source code locations in AuthenticatedEndpoint.php and GetResetUserPasswordLink.php, a plugin changeset from 3323579 to 3329717 indicating a potential patch commit, the plugin's developers page on WordPress.org, and a Wordfence threat intelligence entry for the vulnerability. Security practitioners should review these for patch details and update to a fixed version if available.
Details
- CWE(s)