cleantalk
Vulnerabilities and Security Researches

ONLYOFFICE, CVE-2025-6380

CVE, Research URL

CVE-2025-6380

Home page URL

Security reports for ONLYOFFICE

Application

ONLYOFFICE

Published on
Jul 24, 2025
Research Description
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.
Affected versions
Min -, max 1.1.0.
Status
vulnerable
Previous vulnerability researches
SIP Reviews Shortcode for WooCommerce (CVE-2024-6479) , Nov 02, 2024
SIP Reviews Shortcode for WooCommerce (CVE-2024-6480) , Nov 02, 2024
New vulnerability
WP Wallcreeper (CVE-2025-7822) , Jul 26, 2025
Supreme Addons for Beaver Builder – (CVE-2025-3669) , Jul 25, 2025
WP Get The Table (CVE-2025-6387) , Jul 25, 2025
ElementsKit Elementor addons (CVE-2025-3614) , Jul 25, 2025
WP Links Page (CVE-2025-30998) , Jul 25, 2025