CVE-2025-5835 - Vulnerability Details

- Droip <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Many Actions

Description

The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

Published: 2025-07-25

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Droip plugin for WordPress contains a missing capability check in its droip_post_apis() function that is used by several AJAX hooks. Because the function does not verify the current user’s permissions, authenticated users who hold the Subscriber role or higher can invoke these hooks to perform any action that the plugin exposes. The exposed actions include arbitrary post deletion, creation and duplication, updating plugin settings, and manipulating users. The flaw effectively allows a legitimate user with a low‑level role to perform high‑privilege operations and compromises site integrity. This weakness is classified as CWE‑862, missing authorization.

Affected Systems

All WordPress sites that have the Droip plugin version 2.2.6 or older are affected. The vulnerability is present in every release upstream from the initial version up to and including 2.2.6 distributed by Themeum. Sites that do not run the plugin, or run a newer version, are not impacted.

Risk and Exploitability

The flaw has a CVSS score of 8.8, reflecting a high impact and critical scope. However, the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation at present. To exploit the issue an attacker must first be able to authenticate to the site with a Subscriber role or higher and then invoke any of the exposed AJAX endpoints. Once authenticated, the attacker can carry out the aforementioned high‑privilege actions until the plugin is updated or mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Droip

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.6

Configuration 1 [-]

cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

No data.

Vendor	Product	Confidence	Versions
Themeum	Droip	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Droip plugin to the latest version available to restore proper capability checks for all AJAX actions.
Remove or limit the Subscriber role’s access to the exposed AJAX endpoints by adjusting role capabilities or using a role‑management plugin.
Deactivate or uninstall the Droip plugin until an updated version with proper capability checks is released.

Generated by OpenCVE AI on April 20, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-22575	The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://droip.com/
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve

History

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.	The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.
Title	Droip <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Many Actions	Droip <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Many Actions

Mon, 28 Jul 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:themeum:droip::::::wordpress::*

Fri, 25 Jul 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themeum Themeum droip Wordpress Wordpress wordpress
Vendors & Products		Themeum Themeum droip Wordpress Wordpress wordpress

Fri, 25 Jul 2025 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 25 Jul 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.
Title		Droip <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Many Actions
Weaknesses		CWE-862
References		https://droip.com/ https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Themeum Droip

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-25T06:43:55.268Z

Updated: 2026-04-08T17:29:18.756Z

Reserved: 2025-06-06T19:42:06.965Z

Link: CVE-2025-5835

Vulnrichment

Updated: 2025-07-25T11:42:13.987Z

NVD

Status : Modified

Published: 2025-07-25T07:15:27.653

Modified: 2026-04-08T19:24:23.407

Link: CVE-2025-5835

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object