Security Alert Summary
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows an attacker to modify site options via a specific AJAX action. An attacker can send POST requests to the WordPress admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, which can lead to account takeover.
CVE Details
- CVE ID: CVE-2019-25738
- Affected component: WordPress Hybrid Composer
- Affected versions: 1.4.6 (as stated in the description)
- Published: June 4, 2026 at 2:16:32 PM (UTC)
- Last modified: June 4, 2026 at 3:00:40 PM (UTC)
- CVSS v3.1: Base Score 9.8 – CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / privileges / user interaction: No authentication required; PR:N (Privileges Required: NONE); UI:N (User Interaction: NONE)
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- CWE: CWE-306 (Missing Authentication for Critical Function)
Technical Details
The vulnerability is an unauthenticated settings change in Hybrid Composer 1.4.6. The plugin exposes an AJAX action named hc_ajax_save_option that accepts POST requests via the WordPress admin-ajax.php endpoint. Because the action does not require authentication or proper capability checks, remote attackers can submit requests that update site options.
The CVE description identifies two notable impacts an attacker can trigger by sending crafted POST requests to admin-ajax.php with action=hc_ajax_save_option:
- Enable user registration (changing the option that allows new user signups).
- Set the default role assigned to new users to administrator, enabling account takeover when attackers register new accounts.
These changes occur at the settings/options level and directly affect site configuration, allowing attackers to obtain administrative access without valid credentials if registration and default role options are changed.
How This Could Impact Your Website
Consider a typical small site with a site owner, internal staff editors, and an external contractor who contributes content. An unauthenticated attacker could enable user registration and set the default role to administrator. The attacker then registers a new account and immediately gains administrative privileges.
Practical consequences include the exposure or manipulation of site content, unauthorized creation or deletion of posts, and access to internal user data such as email addresses. Having administrative accounts created by attackers also increases the risk of targeted phishing or social engineering against staff and contractors because attacker-controlled administrator accounts can view or export user information.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially roles that allow contributor or author-level access to avoid privilege escalation paths.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and user registrations for unusual behavior, such as unexpected administrator accounts or changes to registration settings.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- http://wordpress.framework-y.com
- http://wordpress.framework-y.com/hybrid-composer/
- https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/
- https://www.exploit-db.com/exploits/47154
- https://www.vulncheck.com/advisories/wordpress-hybrid-composer-unauthenticated-settings-change
