CVE-2025-3101: Configurator Theme Core <= 1.4.7 - Authenticated (Subscriber+) Privilege Escalation
First published: Thu Apr 24 2025(Updated: )
The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Configurator Theme Core | <=1.4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-3101?
CVE-2025-3101 is categorized as a privilege escalation vulnerability affecting the Configurator Theme Core plugin.
How do I fix CVE-2025-3101?
To fix CVE-2025-3101, update the Configurator Theme Core plugin to version 1.4.8 or later.
Who is affected by CVE-2025-3101?
All users of the Configurator Theme Core plugin for WordPress versions up to 1.4.7 are affected by CVE-2025-3101.
What type of attacks can exploit CVE-2025-3101?
CVE-2025-3101 can be exploited by authenticated attackers to escalate privileges within the WordPress site.
What is the cause of CVE-2025-3101?
CVE-2025-3101 is caused by the plugin's improper validation of user meta fields prior to database updates.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/source
- agent/tags
- agent/event
- vendor/configurator
- canonical/configurator theme core