CVE-2025-5835

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5835
The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://droip.com/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*
History

08 Apr 2026, 19:24

Type Values Removed Values Added
Summary
  • (es) El complemento Droip para WordPress es vulnerable a modificaciones y accesos no autorizados a los datos debido a la falta de una comprobación de capacidad en la función droip_post_apis() en todas las versiones hasta la 2.2.0 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, realizar numerosas acciones, ya que AJAX se conecta a varias funciones. Algunos posibles impactos incluyen la eliminación, creación y duplicación de publicaciones arbitrarias, la actualización de la configuración, la manipulación del usuario y mucho más.
Summary (en) The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. (en) The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

28 Jul 2025, 15:15

Type Values Removed Values Added
First Time Themeum
Themeum droip
References () https://droip.com/ - () https://droip.com/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve - Third Party Advisory
CPE cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

25 Jul 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-25 07:15

Updated : 2026-04-08 19:24

NVD link : CVE-2025-5835

Mitre link : CVE-2025-5835

CVE.ORG link : CVE-2025-5835

JSON object : View

Products Affected

themeum

  • droip
CWE
CWE-862

Missing Authorization