cleantalk
Vulnerabilities and Security Researches

Offsprout Page Builder, CVE-2025-4672

CVE, Research URL

CVE-2025-4672

Home page URL

Security reports for Offsprout Page Builder

Application

Offsprout Page Builder

Published on
May 31, 2025
Research Description
The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to read, create, update or delete any user meta, including flipping their own wp_capabilities to administrator and fully escalate their privileges.
Affected versions
Min 2.2.1, max 2.15.2.
Status
vulnerable
Previous vulnerability researches
Translate Multilingual sites – TranslatePress (CVE-2024-34827) , Jun 07, 2024
Translate Multilingual sites – TranslatePress (CVE-2021-24610) , Jun 07, 2024
Translate Multilingual sites – TranslatePress (CVE-2022-3141) , Jun 07, 2024
Translate Multilingual sites – TranslatePress (CVE-2025-30773) , Mar 28, 2025
New vulnerability
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance (CVE-2025-3951) , Jun 04, 2025
Year Make Model Search for WooCommerce (CVE-2025-48265) , Jun 04, 2025
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP (CVE-2025-48255) , Jun 04, 2025
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2025-1485) , Jun 04, 2025
Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads & Lead Generation (CVE-2025-4392) , Jun 04, 2025