CVE-2025-4606

CRITICAL EXPLOITED

Uxper Sala - Startup & SaaS WordPress Theme <=1.1.4 - Privilege Escalation via Account Takeover

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-4606 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including XiaomingX, Yetazyyy, UcenHaxor07.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Description

The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Exploits (4)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-4606

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER
by Yetazyyy · poc
https://github.com/Yetazyyy/CVE-2025-4606

This repository contains a Python-based scanner for detecting CVE-2025-4606, which appears to be related to WordPress AJAX misconfiguration. The scanner is designed for bulk site scanning and outputs results to a file.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: WordPress (version not specified)
No auth needed
Prerequisites: Python environment · list of target URLs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by UcenHaxor07 · remote
https://github.com/UcenHaxor07/CVE-2025-4606

This PoC exploits CVE-2025-4606 by enumerating WordPress usernames via REST API and author IDs, then resetting passwords via an unauthenticated AJAX endpoint. It uses multithreading for efficiency.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress (version not specified)
No auth needed
Prerequisites: WordPress site with vulnerable plugin/theme exposing the AJAX endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Yucaerin · remote
https://github.com/Yucaerin/CVE-2025-4606

This repository contains a functional exploit for CVE-2025-4606, an unauthenticated privilege escalation vulnerability in the WordPress Sala Theme <= 1.1.4. The exploit leverages an exposed AJAX endpoint to reset arbitrary user passwords without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress Sala Theme <= 1.1.4
No auth needed
Prerequisites: Valid username on the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0026
EPSS Percentile 49.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-05-04
CWE
CWE-620
Status published
Products (1)
uxper/Sala - Startup & SaaS WordPress Theme < 1.1.4
Published Jul 09, 2025
Tracked Since Feb 18, 2026