CVE-2025-14364

HIGH

Demo Importer Plus <2.0.8 - Privilege Escalation

Title source: llm

Description

The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.

Exploits (1)

nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2025-14364

References (2)

Scores

CVSS v3 8.8
EPSS 0.0008
EPSS Percentile 22.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862
Status published
Products (1)
kraftplugins/Demo Importer Plus < 2.0.8
Published Dec 18, 2025
Tracked Since Feb 18, 2026