CVE-2025-8418
Published: 12 August 2025
Summary
CVE-2025-8418 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The CVE-2025-8418 vulnerability affects the B Slider- Gutenberg Slider Block for WP plugin for WordPress in all versions through 1.1.30. It is caused by missing capability checks on the activated_plugin function, which permits arbitrary plugin installation and is tracked under CWE-862 with a CVSS 3.1 score of 8.8.
Authenticated attackers holding subscriber-level access or higher can exploit the flaw remotely without user interaction to install arbitrary plugins on the server, which in turn enables remote code execution and full compromise of confidentiality, integrity, and availability.
The referenced Wordfence advisory and WordPress plugin trac changesets document the missing authorization logic in adminMenu.php and show the corrective code update that restores proper capability enforcement. The associated EPSS score remains low and unchanged at 0.0162 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24224
Vulnerability details
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible…
more
for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin allows authenticated arbitrary plugin installation, directly enabling exploitation of the web app (T1190) and deployment of web shells for execution/persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to system resources, directly addressing the missing capability checks that allow low-privilege users to install arbitrary plugins.
AC-6 applies least privilege to restrict plugin installation to only authorized high-privilege roles, preventing subscriber-level exploitation.
CM-11 authorizes and manages user-installed software, mitigating unauthorized plugin installations that enable potential remote code execution.