CVE-2025-5701

HIGH NUCLEI

HyperComments <1.2.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-5701. PoCs published by RandomRobbieBF, Nxploited, qalesyaSN. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated arbitrary options update vulnerability in the HyperComments WordPress plugin (CVE-2025-5701), allowing attackers to enable user registration and set the default role to administrator via a crafted POST request.

Description

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Exploits (4)

nomisec WORKING POC 1 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2025-5701

This PoC demonstrates an unauthenticated arbitrary options update vulnerability in the HyperComments WordPress plugin (CVE-2025-5701), allowing attackers to enable user registration and set the default role to administrator via a crafted POST request.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HyperComments WordPress plugin <= 1.2.2
No auth needed
Prerequisites: WordPress site with HyperComments plugin <= 1.2.2 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Nxploited · poc
https://github.com/Nxploited/CVE-2025-5701

This is a functional exploit for CVE-2025-5701, targeting an unauthenticated privilege escalation vulnerability in the HyperComments WordPress plugin. It enables user registration and sets the default role to administrator by exploiting a missing capability check.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: HyperComments WordPress plugin ≤ 1.2.2
No auth needed
Prerequisites: WordPress site with vulnerable HyperComments plugin installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by qalesyaSN · poc
https://github.com/qalesyaSN/CVE-2025-5701

This exploit targets an unauthenticated privilege escalation vulnerability in WordPress by modifying the default role to 'administrator' and enabling user registration via a POST request to a specific endpoint. It includes multi-threading for mass exploitation and logs vulnerable targets.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress (version not specified)
No auth needed
Prerequisites: Target must be a WordPress site with the vulnerable endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-5701

The repository contains functional exploit code for CVE-2025-5701, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the vulnerability by uploading a shell file to a vulnerable endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · shell file path
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

HyperComments <= 1.2.2 - Arbitrary Options Update
CRITICALby kylew1004
FOFA: body="/wp-content/plugins/hypercomments"

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0168
EPSS Percentile 73.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
siteheart/HyperComments < 1.2.2
Published Jun 05, 2025
Tracked Since Feb 18, 2026