How ZeroPath Works
Back to Blog

My WP Translate WordPress Plugin CVE-2025-8425: Brief Summary of Privilege Escalation Vulnerability

A brief summary of CVE-2025-8425, a privilege escalation vulnerability in the My WP Translate WordPress plugin up to version 1.1. This post covers the technical mechanism, affected versions, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

My WP Translate WordPress Plugin CVE-2025-8425: Brief Summary of Privilege Escalation Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers with only Subscriber-level accounts can turn themselves into full administrators on WordPress sites running vulnerable versions of My WP Translate. This flaw directly enables privilege escalation and site takeover on any installation using the plugin up to and including version 1.1.

My WP Translate is a WordPress plugin developed by MyThemeShop to provide translation management for themes and plugins. While not as widely deployed as some major translation plugins, it is used on thousands of sites and has a history of security issues.

Technical Information

The vulnerability is rooted in the ajax_import_strings() function, present in all versions of My WP Translate up to and including 1.1. This function is registered as a WordPress AJAX action and is accessible to any authenticated user. Critically, it does not perform a capability check (such as current_user_can('manage_options')) before processing requests.

This means that any logged-in user, including those with the lowest Subscriber role, can send a crafted AJAX request to wp-admin/admin-ajax.php with the appropriate action parameter. The function then processes user-supplied data and updates arbitrary WordPress options in the wp_options table.

The most impactful exploitation involves setting the following options:

  • users_can_register to 1 (enables public registration)
  • default_role to administrator (makes all new users administrators)

Once these are set, an attacker can register a new account and immediately gain administrator privileges, fully compromising the site.

The root cause is a missing authorization check (CWE-862) on a sensitive AJAX endpoint. This is a recurring anti-pattern in WordPress plugin development. The public code reference for the vulnerable function is available here:

https://plugins.trac.wordpress.org/browser/my-wp-translate/tags/1.1/admin/class-my-wp-translate-admin.php#L1116

Affected Systems and Versions

  • Product: My WP Translate WordPress plugin
  • Affected versions: All versions up to and including 1.1
  • Any WordPress site with this plugin active is vulnerable
  • Exploitation requires any authenticated user account (Subscriber or higher)

Vendor Security History

MyThemeShop, the vendor behind My WP Translate, has a history of security issues in this plugin. Previous versions (such as 1.0.3) were affected by unprotected AJAX actions, cross-site scripting, and option deletion vulnerabilities. The vendor's response to past vulnerabilities has varied, and there is no evidence of proactive security advisories or rapid patch cycles.

References

Detect & fix
what others miss

Get startedBook a demo