Description
The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges.
Published: 2025-10-15
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation to Editor role, leading to unauthorized content management capabilities
Action: Patch Now
AI Analysis

Impact

The Lisfinity Core plugin automatically assigns the editor role to users upon installation, while its API calls are not restricted by role. This design flaw allows an attacker to gain editor-level privileges without authentication, particularly when leveraged in conjunction with CVE-2025-6038. The elevated privileges enable modification of site content, addition of new users, and other administrative actions normally reserved for higher roles.

Affected Systems

WordPress sites employing the pebas Lisfinity Core plugin for the Lisfinity WordPress theme in any version up to and including 1.4.0. The vulnerability affects the plugin itself, regardless of the broader theme, and impacts any WordPress installation where unauthenticated access to the plugin’s API is possible.

Risk and Exploitability

The CVSS score of 7.3 categorizes the issue as medium severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability may not be listed in the CISA KEV catalog. It is inferred that the attack vector is unauthenticated via the exposed API endpoints, allowing an external actor to elevate privileges to the editor role without needing prior credentials. Once elevation is achieved, the attacker can perform any action allowed to editors, potentially compromising content integrity and site stability.

Generated by OpenCVE AI on April 20, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lisfinity Core plugin to a version newer than 1.4.0 or apply any vendor‑supplied patch that removes the default editor role assignment.
  • If an immediate upgrade is not feasible, manually modify the role assignment logic in the plugin or disable the unrestricted API endpoints so that only properly authorized users can trigger them.
  • Review all existing editor accounts on the WordPress site and follow strict role‑management practices to ensure no unintended users have elevated privileges.

Generated by OpenCVE AI on April 20, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pebas
Pebas lisfinity Core
Wordpress
Wordpress wordpress
Vendors & Products Pebas
Pebas lisfinity Core
Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges.
Title Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Unauthenticated Privilege Escalation to Editor
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Pebas Lisfinity Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:45.827Z

Reserved: 2025-06-12T20:43:29.943Z

Link: CVE-2025-6042

cve-icon Vulnrichment

Updated: 2025-10-15T18:12:48.924Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T06:15:44.887

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses