CVE-2025-5701

CRITICAL NUCLEI

HyperComments <1.2.2 - Privilege Escalation

Title source: llm

Description

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Exploits (4)

nomisec WORKING POC 1 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-5701

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2025-5701

View Code ZIP pw:eip

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-5701

View Code ZIP pw:eip

nomisec WORKING POC

by qalesyaSN · poc

https://github.com/qalesyaSN/CVE-2025-5701

View Code ZIP pw:eip

Nuclei Templates (1)

HyperComments <= 1.2.2 - Arbitrary Options Update

CRITICALby kylew1004

FOFA: body="/wp-content/plugins/hypercomments"

References (2)

[Product] https://plugins.trac.wordpress.org/browser/hypercomments/trunk/hypercomments.php

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/07fd6bee-5b00-4fc1-9f7a-3857fd35c763?source=cve

Scores

CVSS v3 9.8

EPSS 0.1382

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-862

Status draft

Timeline

Published Jun 05, 2025

Tracked Since Feb 18, 2026