cleantalk
Vulnerabilities and Security Researches

ONLYOFFICE, CVE-2025-6380

CVE, Research URL

CVE-2025-6380

Home page URL

Security reports for ONLYOFFICE

Application

ONLYOFFICE

Published on
Jul 24, 2025
Research Description
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.
Affected versions
Min -, max 1.1.0.
Status
vulnerable
Previous vulnerability researches
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2025-4685) , Jul 23, 2025
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2024-10178) , Dec 06, 2024
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2024-43308) , Aug 20, 2024
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2025-1986) , May 07, 2025
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2024-5417) , Aug 31, 2024
New vulnerability
WP Wallcreeper (CVE-2025-7822) , Jul 26, 2025
Supreme Addons for Beaver Builder – (CVE-2025-3669) , Jul 25, 2025
WP Get The Table (CVE-2025-6387) , Jul 25, 2025
ElementsKit Elementor addons (CVE-2025-3614) , Jul 25, 2025
WP Links Page (CVE-2025-30998) , Jul 25, 2025