An unauthenticated settings change vulnerability in WordPress Hybrid Composer allows remote attackers to perform full account takeover by elevating privileges to administrator.

This is an unauthenticated options update vulnerability occurring within the hc_ajax_save_option function. Attackers can bypass authentication to modify WordPress core settings, specifically enabling user registration and assigning the administrator role to new accounts.

With a CVSS score of 9.8, this vulnerability represents a critical risk to the confidentiality, integrity, and availability of the affected WordPress site. Successful exploitation grants an attacker full administrative control, which can be used to exfiltrate sensitive data, inject malicious content, or distribute malware to site visitors.

Immediate Action: Update the WordPress Hybrid Composer plugin to version 1.4.7 or the latest available release immediately to patch the vulnerable AJAX endpoint.

Proactive Monitoring: Review web server access logs for anomalous POST requests directed at admin-ajax.php containing the hc_ajax_save_option parameter.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block unauthorized access to admin-ajax.php that does not originate from a valid, authenticated session.

Public Exploit Available: True

Given the critical severity and confirmed reports of active exploitation, organizations utilizing Hybrid Composer must prioritize this update. Failure to remediate will likely lead to total site compromise and potential data breach.