CVE-2025-6380

EUVD-2025-22503

24.07.2025, 10:15

The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Wordfence	CNA	9.8 CRITICAL				CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/class-onlyoffice-plugin-public.php#L111

https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/views/class-onlyoffice-plugin-callback.php#L57

https://wordpress.org/plugins/onlyoffice/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/608b0506-074b-4df3-8c30-57cfb090f553?source=cve