CVE-2025-7722
Published: 23 July 2025
Summary
CVE-2025-7722 is a high-severity Least Privilege Violation (CWE-272) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22398
Vulnerability details
The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the…
more
update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and update requirements help detect and correct least privilege violations in practice.
Access reviews verify and enforce adherence to least privilege by identifying excess permissions.
Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege.
Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.
Enforces the least privilege principle to avoid violations of minimal necessary access.
Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.
The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely.
Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects.