Description
The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username.
Published: 2025-10-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover and privilege escalation via authentication bypass
Action: Immediate Patch
AI Analysis

Impact

The plugin contains an authentication bypass that allows an attacker who knows a user’s username to log in without a password. The flaw originates from the custom_actions() routine that fails to verify the identity of the caller before creating a session. As a result, any attacker with unauthenticated access to the site can assume the identity of any existing user, including administrators, enabling full control over the WordPress installation. The weakness is a classic improper authentication condition (CWE-288).

Affected Systems

Spirit Framework, a WordPress plugin provided by Theme‑Spirit, is affected in every release up to and including version 1.2.14. No other versions are mentioned, so installations of 1.2.14 or earlier are vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a very severe risk, requiring immediate response. The EPSS score is below 1 %, meaning that existing exploitation attempts are rare, but the absence of a KEV listing does not lessen the threat; attackers could still leverage the flaw. Based on the description, the likely attack vector is remote via the web interface, where anyone can craft a request that triggers the custom_actions() handler. An attacker only needs knowledge of a target’s username and does not need further privileges or software on the victim site.

Generated by OpenCVE AI on April 20, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or replace Spirit Framework with a version that does not contain the authentication bypass (any release newer than 1.2.14).
  • If an update is not available, disable or uninstall the vulnerable plugin to remove the attack surface entirely.
  • Until the plugin can be removed or patched, restrict administrator access to known IP addresses or use a Web Application Firewall to block unauthenticated access to the custom_actions endpoint.

Generated by OpenCVE AI on April 20, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32230 The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's username.
Title Spirit Framework <= 1.2.14 - Authentication Bypass to Account Takeover and Privilege Escalation
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:09.342Z

Reserved: 2025-06-20T00:46:48.403Z

Link: CVE-2025-6388

cve-icon Vulnrichment

Updated: 2025-10-03T15:56:16.977Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T09:15:38.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses