CVE-2025-5304
📋 TL;DR
The PT Project Notebooks WordPress plugin versions 1.0.0 through 1.1.3 contain a privilege escalation vulnerability in the wpnb_pto_new_users_add() function. Unauthenticated attackers can exploit this missing authorization check to gain administrator privileges on affected WordPress sites. Any WordPress site using the vulnerable plugin versions is affected.
💻 Affected Systems
- PT Project Notebooks WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover: attackers gain full administrative control, can install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Attackers gain admin access and install malicious plugins/themes, create backdoor accounts, or inject malicious content.
If Mitigated
Attack is blocked by proper access controls, leaving only failed authentication attempts in logs.
🎯 Exploit Status
The vulnerability is straightforward to exploit - attackers can send crafted requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.4 or later
Vendor Advisory: https://wordpress.org/plugins/project-notebooks/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'PT Project Notebooks'. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete plugin, then install fresh version 1.1.4+ from WordPress repository.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the vulnerable plugin to prevent exploitation.
wp plugin deactivate project-notebooks
Web Application Firewall Rule
allBlock requests to the vulnerable endpoint.
# Add rule to block access to wpnb_pto_new_users_add function
🧯 If You Can't Patch
- Deactivate and remove the PT Project Notebooks plugin immediately
- Implement strict network access controls to limit WordPress admin access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for PT Project Notebooks version. If version is between 1.0.0 and 1.1.3, you are vulnerable.Check Version:
wp plugin get project-notebooks --field=versionVerify Fix Applied:
After update, verify plugin version shows 1.1.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php or admin-post.php with wpnb_pto_new_users_add parameter
- Sudden creation of new administrator accounts
- Failed login attempts followed by successful admin login from same IP
Network Indicators:
- HTTP requests containing 'wpnb_pto_new_users_add' parameter from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("wpnb_pto_new_users_add" OR "admin_user_added" FROM IP NOT IN admin_whitelist)🔗 References
- https://plugins.trac.wordpress.org/browser/project-notebooks/tags/1.1.3/includes/structure/admin/pto_admin_settings.php#L233
- https://plugins.trac.wordpress.org/browser/project-notebooks/tags/1.1.3/includes/structure/admin/pto_admin_settings.php#L36
- https://wordpress.org/plugins/project-notebooks/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/552ec9fc-5bff-4bee-be04-39892c89cd59?source=cve
