CVE Alert: CVE-2025-10299 – hakik – WPBifröst – Instant Passwordless Temporary Login Links
CVE-2025-10299
The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts and subsequently log in as those.
AI Summary Analysis
Risk verdict
High risk: authenticated subscribers (and above) can escalate to admin privileges via a missing authorization check, with no user interaction required; no active exploitation indicated yet, but patching is urgent.
Why this matters
An attacker gaining admin rights can fully compromise the site, exfiltrate or modify data, install backdoors, and threaten site availability. The capability escalation target is high-value admin control, so even low-volume exploitation could yield outsized impact across multiple WordPress deployments using this plugin.
Most likely attack path
An authenticated user with Subscriber+ privileges calls the ctl_create_link AJAX action, which lacks proper authorization checks. Given AV Network and UI N/A, the attack is remotely exploitable by any subscriber-level account, and scope remains unchanged; the attacker then creates an admin account and logs in as that user, enabling persistence and broad control.
Who is most exposed
Sites running WordPress with the WPBifröst plugin installed are at risk, especially where subscriber-based login flows are exposed to end users (common in smaller WordPress deployments and hosting environments).
Detection ideas
- Monitor for sudden creation of new admin accounts.
- Inspect admin-ajax.php requests for action=ctl_create_link from authenticated sessions.
- Alert on unusual or rapid admin logins or privilege-change events.
- Correlate with plugin version and recent updates; flag outdated 1.0.7 and earlier.
Mitigation and prioritisation
- Patch to the fixed release (latest version) as soon as available; remove or disable the plugin if patching isn’t feasible.
- Implement least-privilege: prohibit or restrict ctl_create_link usage; require higher privileges for account creation.
- Enable robust logging and alerting on admin creation and plugin-related actions; conduct credential hygiene (rotate admin passwords).
- Apply WAF controls or disable the AJAX endpoint while patching; test in staging before production roll-out.
- If KEV or high EPSS were present, treat as priority 1; with current indicators, prioritise as high (priority 2).
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
