A high-severity vulnerability has been identified in the Lisfinity Core WordPress plugin, which could allow an attacker to escalate their privileges. Successful exploitation could enable an unauthorized user to change the password of any account, including an administrator, leading to a complete compromise of the affected WordPress website.

The Lisfinity Core plugin contains a privilege escalation vulnerability within its password update functionality. The flaw likely stems from improper authorization checks, allowing a lower-privileged authenticated user, or potentially an unauthenticated attacker, to target and change the password of an arbitrary user by manipulating the password update request. By targeting an administrative account, an attacker can gain full control over the WordPress site, enabling them to modify content, steal user data, and install malicious code.

This vulnerability is rated as high severity with a CVSS score of 8.8, posing a significant risk to the organization. A successful exploit would grant an attacker complete administrative control over the website, leading to potential consequences such as website defacement, theft of sensitive customer or business data, distribution of malware to site visitors, and severe reputational damage. The compromise of a key web asset can disrupt business operations, erode customer trust, and result in financial loss.

Immediate Action: Immediately update the Lisfinity Core plugin and the associated Lisfinity theme to the latest patched version provided by the vendor. After updating, review all user accounts, particularly administrative ones, for any unauthorized changes. If the plugin is no longer essential for business operations, consider deactivating and removing it to reduce the attack surface.

Proactive Monitoring: Monitor web server access logs and WordPress security audit logs for unusual or repeated password update attempts, especially those targeting administrative accounts. Watch for unexpected successful logins from new IP addresses or geolocations. Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to inspect and block malicious requests targeting the plugin's password update functions. Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses. Enforce multi-factor authentication (MFA) for all users, especially administrators, to add a critical layer of security against account takeover.

Public Exploit Available: false

Given the high CVSS score of 8.8, this vulnerability requires immediate attention. We strongly recommend that organizations using the affected Lisfinity Core plugin apply the vendor-supplied patches without delay. Although there is no evidence of active exploitation at this time, the risk of a full website compromise is severe. Prioritize patching this vulnerability across all relevant web assets and implement the recommended monitoring and compensating controls to mitigate risk.