CVE-2025-66428: Privilege Escalation via WordPress Directory Names in WebPros WordPress Toolkit

This high-severity vulnerability (CVSS 8.8) in WebPros WordPress Toolkit allows privileged users to escalate their access. Attackers could leverage this flaw to gain higher permissions than intended, potentially leading to full control over WordPress installations.

Consider a hotel where staff members have keycards that open certain rooms based on their roles, but there's a trick involving renaming floor plans that lets a junior staff member's keycard suddenly open the manager's office. This vulnerability arises from how the toolkit handles WordPress directory names, allowing a user with some initial privileges to manipulate this process. By exploiting this issue, a less-privileged account could gain administrative control over WordPress sites managed by the toolkit. This means they can perform actions typically reserved for higher-level users, essentially promoting themselves without authorization.