PatchSiren cyber security CVE debrief
CVE-2019-25738 framework-y CVE debrief
CVE-2019-25738 is a critical vulnerability in WordPress Hybrid Composer 1.4.6. It allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.
- Vendor
- framework-y
- Product
- Hybrid Composer
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Administrators of WordPress sites using Hybrid Composer 1.4.6 should prioritize patching this vulnerability to prevent potential attacks.
Technical summary
The vulnerability exists in the hc_ajax_save_option action of Hybrid Composer 1.4.6. This action allows unauthenticated attackers to modify WordPress options. The CVSS score for this vulnerability is 9.3, indicating a critical severity.
Defensive priority
High
Recommended defensive actions
- Update Hybrid Composer to a patched version.
- Restrict access to the admin-ajax.php endpoint.
- Monitor for suspicious activity on the WordPress site.
Evidence notes
The CVE record and NVD detail provide evidence of the vulnerability's existence and its critical severity.
Official resources
CVE-2019-25738 was published on 2019-03-26T00:00:00.000Z and modified on 2019-03-26T00:00:00.000Z.