CVE-2019-25215

HIGH EXPLOITED

ARI-Adminer <= 1.1.14 - Unauthenticated Authorization Bypass via Direct File Access

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-25215 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This makes it possible for unauthenticated attackers to call the files directly and perform a wide variety of unauthorized actions such as accessing a site's database and making changes.

Scores

CVSS v3 7.3
EPSS 0.0040
EPSS Percentile 31.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2024-10-15
CWE
CWE-862
Status published
Products (2)
ari-soft/ari_adminer < 1.1.14
arisoft/ARI Adminer – WordPress Database Manager < 1.1.14
Published Oct 16, 2024
Tracked Since Feb 18, 2026