Cyber Resilience

CVE-2025-8059

Critical

Published: 12 August 2025

Published
12 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8059 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-8059 is a privilege escalation vulnerability in the B Blocks plugin for WordPress, affecting all versions up to and including 2.0.6. The flaw arises from missing authorization checks and improper input validation in the rgfr_registration() function, mapped to CWE-862 (Missing Authorization). Published on 2025-08-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. By leveraging the flawed registration function, they can create a new user account and directly assign it the administrator role, potentially gaining full control over the WordPress site, including access to sensitive data, configuration changes, and further compromise.

Advisories and references point to mitigation via patching. The WordPress plugin trac shows the vulnerable code at line 77 in includes/blocks/RegisterForm.php and a fix in changeset 3340770. Security practitioners should review the plugin's developers page on wordpress.org/plugins/b-blocks and Wordfence threat intelligence for detailed remediation steps and updated versions.

EU & UK References

Vulnerability details

The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create…

more

a new account and assign it the administrator role.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Vulnerability enables unauthenticated remote exploitation of a public-facing WordPress plugin to create an administrator account, directly mapping to initial access via public app exploitation, privilege escalation, and account creation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-5483Shared CWE-862
CVE-2026-2992Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the vulnerability in the rgfr_registration() function by patching the B Blocks plugin, preventing unauthenticated privilege escalation to administrator.

prevent

Enforces approved authorizations in the application to mitigate missing authorization checks that allow unauthenticated attackers to create admin accounts.

prevent

Validates inputs to the rgfr_registration() function, preventing improper input handling that enables direct assignment of administrator roles.

References