A critical vulnerability has been identified in the Demo Importer Plus plugin for WordPress, assigned CVE-2025-14364. This flaw allows an unauthenticated attacker to bypass security checks, enabling them to modify or delete website data and escalate their privileges to an administrator level. Successful exploitation could lead to a full website compromise, significant data loss, and operational disruption.

The vulnerability exists within the Ajax::handle_request() function of the Demo Importer Plus plugin. This function fails to perform a capability check, which is a security mechanism in WordPress used to verify if the user making a request has the appropriate permissions to perform the requested action. An unauthenticated attacker can craft a malicious AJAX request and send it directly to this function, which will then execute with administrative-level permissions. This allows the attacker to trigger actions such as importing/resetting site data or potentially manipulating other plugin functions, leading to unauthorized data modification, data loss, or the creation of a rogue administrator account.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have a severe impact on the business, leading to significant consequences. These include the complete loss of website data, defacement of the corporate website causing reputational damage, and operational downtime. Furthermore, the privilege escalation component allows an attacker to gain a persistent foothold in the web environment, which could be used as a pivot point to attack other internal systems, potentially leading to a wider data breach.

Immediate Action:

• Immediately update the Demo Importer Plus plugin to the latest patched version provided by the vendor.
• After patching, conduct a thorough review of all WordPress user accounts, particularly those with administrative privileges, to identify and remove any unauthorized accounts.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and delete it to completely remove the associated attack surface.

Proactive Monitoring:

• Monitor web server access logs for an unusual volume of POST requests to /wp-admin/admin-ajax.php, especially from unknown or suspicious IP addresses targeting actions related to the Demo Importer Plus plugin.
• Utilize a WordPress security or audit log plugin to monitor for unauthorized changes to user roles, site settings, content modifications, or plugin activations.
• Employ a File Integrity Monitoring (FIM) solution to detect unauthorized modifications to plugin files or core WordPress files.

Compensating Controls:

• Implement a Web Application Firewall (WAF) and apply a virtual patch or custom rule to block requests that attempt to exploit the missing capability check in the Ajax::handle_request() function.
• Temporarily deactivate the vulnerable plugin until patching can be completed. This is the most effective short-term mitigation if the plugin's functionality is not mission-critical.
• Restrict access to administrative functions, including admin-ajax.php, to trusted IP addresses only, though this may interfere with legitimate site functionality.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of potential privilege escalation and data loss, we strongly recommend that all organizations using the Demo Importer Plus plugin apply the vendor-supplied patch immediately. This vulnerability represents a significant risk of complete website compromise. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its simplicity makes it an attractive target for attackers. Prioritize patching this vulnerability on all public-facing WordPress instances without delay.