A critical privilege escalation vulnerability exists in the ONLYOFFICE Docs plugin for WordPress. This flaw allows an unauthenticated attacker to gain full administrative control over an affected website by sending a malicious request to a specific plugin endpoint. Successful exploitation could lead to a complete site takeover, data theft, and further system compromise.

The vulnerability is a missing authorization check within the oo.callback REST API endpoint of the plugin. This endpoint fails to validate whether the user making the request has the appropriate permissions to perform administrative actions. An unauthenticated attacker can craft a specific request to this endpoint to exploit this flaw and create a new user account with administrator privileges, effectively bypassing all security controls.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete administrative control over the affected WordPress site. This could lead to severe business consequences, including website defacement, theft of sensitive customer or business data, injection of malware to infect site visitors, and using the compromised server to launch further attacks. The potential for reputational damage, financial loss, and regulatory penalties related to data breaches is extremely high.

Immediate Action: Immediately update the ONLYOFFICE Docs plugin for WordPress to the latest version (2.2.1 or newer) that addresses this vulnerability. After patching, review all administrator-level accounts on your WordPress site to ensure no unauthorized accounts have been created.

Proactive Monitoring: Continuously monitor web server access logs for suspicious POST requests to the /wp-json/onlyoffice/v1/oo/callback endpoint. Implement alerting for the creation of new administrative users or unexpected modifications to the site's configuration. A Web Application Firewall (WAF) can be configured to detect and block malicious requests targeting this endpoint.

Compensating Controls: If patching is not immediately possible, consider the following controls:

• Use a WAF to create a rule that blocks all access to the vulnerable endpoint (/wp-json/onlyoffice/v1/oo/callback).
• Temporarily disable the ONLYOFFICE Docs plugin until it can be safely updated.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to only trusted IP addresses.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability and the high risk of a complete website compromise, immediate action is required. All organizations using the ONLYOFFICE Docs plugin for WordPress versions 1.1.0 through 2.2.0 must prioritize updating to the latest patched version without delay. While this vulnerability is not currently on the CISA KEV list, its high impact and ease of exploit make it a prime candidate for future inclusion, reinforcing the urgency to patch.