Description
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
Published: 2025-02-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Account Takeover
Action: Update Plugin
AI Analysis

Impact

The WP Foodbakery plugin for WordPress contains a flaw that permits an attacker to impersonate any user, including administrators, without authentication. This occurs because the plugin fails to validate a user’s identity before setting the current user and authentication cookie, resulting in improper authentication (CWE-288). Based on the description, it is inferred that the attacker can exploit the vulnerability by sending a crafted request to the foodbakery_parse_request routine, which sets the user context unconditionally.

Affected Systems

All released versions of the Chimpstudio WP Foodbakery plugin for WordPress up to and including 4.8 are affected. Sites running any of these versions could be vulnerable to account takeover.

Risk and Exploitability

The CVSS score of 9.8 indicates very high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely on a wide scale, and the flaw is not catalogued in CISA’s KEV. However, because the flaw can be triggered by an unauthenticated attacker, any publicly reachable WordPress installation that has this plugin can be at risk if an attacker crafts the appropriate request. The high severity coupled with the ease of exploitation makes this a priority for remediation.

Generated by OpenCVE AI on April 22, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Foodbakery plugin to the latest available version (greater than 4.8).
  • If an immediate upgrade is not possible, restrict access to the foodbakery_parse_request endpoint using a web application firewall or server‑level access controls.
  • Disable or remove the WP Foodbakery plugin if it is not required for site functionality.
  • Monitor user accounts for anomalous login activity and audit privileges regularly.

Generated by OpenCVE AI on April 22, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1530 The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account. The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
Title WP Foodbakery <= 4.7 - Authentication Bypass in foodbakery_parse_request WP Foodbakery <= 4.8 - Authentication Bypass in foodbakery_parse_request

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00131}

 epss

{'score': 0.00174}

Tue, 11 Feb 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
Title WP Foodbakery <= 4.7 - Authentication Bypass in foodbakery_parse_request
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:32.148Z

Reserved: 2025-01-02T20:46:55.396Z

Link: CVE-2025-0181

cve-icon Vulnrichment

Updated: 2025-02-11T15:27:37.378Z

cve-icon NVD

Status : Deferred

Published: 2025-02-11T07:15:29.827

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses