PatchSiren

framework-y CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL framework-y CVE published 2026-06-04

CVE-2019-25738

CVE-2019-25738 is a critical vulnerability in WordPress Hybrid Composer 1.4.6. It allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.