Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 05 Jun 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Framework-y
Framework-y hybrid Composer Wordpress Wordpress wordpress |
|
| Vendors & Products |
Framework-y
Framework-y hybrid Composer Wordpress Wordpress wordpress |
Thu, 04 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 04 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover. | |
| Title | WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change | |
| Weaknesses | CWE-306 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-04T13:44:23.414Z
Reserved: 2026-06-04T11:06:42.368Z
Link: CVE-2019-25738
Updated: 2026-06-04T13:44:20.691Z
Status : Deferred
Published: 2026-06-04T14:16:32.180
Modified: 2026-06-04T15:00:40.757
Link: CVE-2019-25738
No data.
OpenCVE Enrichment
Updated: 2026-06-05T10:07:49Z