CVE-2025-8059
Published: 12 August 2025
Summary
CVE-2025-8059 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the vulnerability in the rgfr_registration() function by patching the B Blocks plugin, preventing unauthenticated privilege escalation to administrator.
Enforces approved authorizations in the application to mitigate missing authorization checks that allow unauthenticated attackers to create admin accounts.
Validates inputs to the rgfr_registration() function, preventing improper input handling that enables direct assignment of administrator roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin to create an administrator account, directly mapping to initial access via public app exploitation, privilege escalation, and account creation.
NVD Description
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create…
more
a new account and assign it the administrator role.
Deeper analysisAI
CVE-2025-8059 is a privilege escalation vulnerability in the B Blocks plugin for WordPress, affecting all versions up to and including 2.0.6. The flaw arises from missing authorization checks and improper input validation in the rgfr_registration() function, mapped to CWE-862 (Missing Authorization). Published on 2025-08-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. By leveraging the flawed registration function, they can create a new user account and directly assign it the administrator role, potentially gaining full control over the WordPress site, including access to sensitive data, configuration changes, and further compromise.
Advisories and references point to mitigation via patching. The WordPress plugin trac shows the vulnerable code at line 77 in includes/blocks/RegisterForm.php and a fix in changeset 3340770. Security practitioners should review the plugin's developers page on wordpress.org/plugins/b-blocks and Wordfence threat intelligence for detailed remediation steps and updated versions.
Details
- CWE(s)