Actively Exploited: Critical Flaw CVE-2025-6388 (CVSS 9.8) Allows Authentication Bypass in WordPress Plugin

A newly disclosed vulnerability in the Spirit Framework plugin for WordPress has put thousands of websites at immediate risk of compromise. Tracked as CVE-2025-6388, the flaw carries a CVSS score of 9.8 (Critical) and could allow attackers to bypass authentication, seize control of accounts, and escalate privileges to site administrators.

The vulnerability affects all versions up to and including 1.2.14 of the Spirit Framework plugin. At its core, the issue lies in improper identity validation within the custom_actions() function.

According to the disclosure, “The Spirit Framework plugin for WordPress is vulnerable to authentication bypass … due to the custom_actions() function not properly validating a user’s identity prior to authenticating them to the site.”

In practice, this means that an attacker who knows the username of a valid account—such as an administrator—can log in without needing the corresponding password.

Security provider Wordfence confirmed active exploitation, reporting: “Wordfence blocked 20 attacks targeting this vulnerability in the past 24 hours.”

Once inside, adversaries could take over accounts, escalate privileges to administrator, install backdoors, or inject malicious content—all without triggering standard authentication checks.

This type of vulnerability is especially dangerous for WordPress, given its widespread use in powering enterprise, e-commerce, and personal websites worldwide.

The developers have released Spirit Framework version 1.2.15, which includes a patch to properly validate user identities before granting authentication. Website administrators are urged to update immediately.

Failure to patch leaves sites vulnerable to full account takeover, potentially resulting in defacement, data theft, or deployment of malware.

Related Posts:

• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
• WordPress Releases Urgent Security Patch – Update Immediately!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.