Overview
- The vulnerability, tracked as CVE-2025-8489 with a CVSS score of 9.8, allows unauthenticated users to assign themselves the administrator role during registration.
- Attackers craft requests to the /wp-admin/admin-ajax.php endpoint that abuse the plugin’s handle_register_ajax function to create rogue administrator accounts.
- Impacted versions are 24.12.92 through 51.1.14, and the maintainers issued a fix on September 25, 2025 in release 51.1.35.
- Exploitation began on October 31 and spiked November 9–10, with more than 48,400 attempts blocked to date and notable activity from 45.61.157.120 and 2602:fa59:3:424::1.
- Administrators should update immediately, audit for unexpected admin users, review logs for listed attacking IPs, and look for signs of compromise such as code uploads, redirects, or spam.