CVE-2019-25738

CRITICAL

WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25738. PoCs published by yasin.

AI-analyzed exploit summary This exploit leverages an unauthenticated option update vulnerability in WordPress Hybrid Composer <= 1.4.6 to enable user registration, set the default role to administrator, and create a new admin account. It demonstrates the vulnerability by sending crafted POST requests to the admin-ajax.php endpoint.

Description

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.

Exploits (1)

exploitdb WORKING POC

by yasin · pythonwebappsphp

https://www.exploit-db.com/exploits/47154

View Code ZIP pw:eip

This exploit leverages an unauthenticated option update vulnerability in WordPress Hybrid Composer <= 1.4.6 to enable user registration, set the default role to administrator, and create a new admin account. It demonstrates the vulnerability by sending crafted POST requests to the admin-ajax.php endpoint.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress Hybrid Composer <= 1.4.6

No auth needed

Prerequisites: WordPress site with Hybrid Composer plugin <= 1.4.6 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit exploit

ExploitDB-47154

https://www.exploit-db.com/exploits/47154

Product product

Official Product Homepage

http://wordpress.framework-y.com

Product product

Product Reference

http://wordpress.framework-y.com/hybrid-composer/

Third Party Advisory third-party-advisory

Reference

https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

https://www.vulncheck.com/advisories/wordpress-hybrid-composer-unauthenticated-settings-change

Scores

CVSS v3 9.8

EPSS 0.0035

EPSS Percentile 26.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

framework-y/Hybrid Composer 1.4.6

Published Jun 04, 2026

Tracked Since Jun 04, 2026