CVE-2025-5835HIGH 8.8EPSS p25.5%

CVE-2025-5835CVE-2025-5835

Description

The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.5% · 2026-06-18T12:00:27Z
Published2025-07-25
Last modified2026-04-08

Underlying weaknesses· 1

CWE-862

References

  1. https://droip.com/
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5831
CVE
CVE-2026-53738
CVE
CVE-2025-2876
CVE
CVE-2025-14741
CVE
CVE-2025-8085
CVE
CVE-2025-5071
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.