CVE-2025-6380
📋 TL;DR
This vulnerability in the ONLYOFFICE Docs WordPress plugin allows unauthenticated attackers to escalate privileges by exploiting a missing authorization check in the oo.callback REST endpoint. Attackers can log in as any user, including administrators, on WordPress sites running vulnerable plugin versions. All WordPress installations with the affected plugin versions are at risk.
💻 Affected Systems
- ONLYOFFICE Docs plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to the WordPress site, enabling data theft, site defacement, or malware deployment.
Likely Case
Attackers compromise user accounts to steal sensitive information or perform unauthorized actions.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated account breaches, but privilege escalation remains a critical risk.
🎯 Exploit Status
Exploitation requires sending crafted requests to the vulnerable endpoint, which is straightforward due to missing authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.1 or later
Vendor Advisory: https://wordpress.org/plugins/onlyoffice/#developers
Restart Required: No
Instructions:
1. Log into the WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Locate 'ONLYOFFICE Docs' and check for updates. 4. If an update is available, click 'Update Now' to install version 2.2.1 or higher. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable the ONLYOFFICE Docs plugin
allTemporarily deactivate the plugin to prevent exploitation until patching is possible.
wp plugin deactivate onlyoffice
Restrict access to the oo.callback endpoint
linuxUse a web application firewall (WAF) or .htaccess rules to block unauthorized requests to the vulnerable REST endpoint.
# Example .htaccess rule: RewriteRule ^wp-json/onlyoffice/v1/oo\.callback - [F]
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to the WordPress site from untrusted networks.
- Enable detailed logging and monitoring for suspicious activity on the oo.callback endpoint to detect exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is between 1.1.0 and 2.2.0, it is vulnerable.Check Version:
wp plugin get onlyoffice --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 2.2.1 or higher in the WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/onlyoffice/v1/oo.callback from unauthenticated IP addresses
- Sudden privilege changes or admin logins from unexpected sources
Network Indicators:
- Spikes in traffic to the oo.callback endpoint
- Requests with encrypted attachment IDs from unknown origins
SIEM Query:
source="wordpress_logs" AND uri="/wp-json/onlyoffice/v1/oo.callback" AND status=200 AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/class-onlyoffice-plugin-public.php#L111
- https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/views/class-onlyoffice-plugin-callback.php#L57
- https://wordpress.org/plugins/onlyoffice/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/608b0506-074b-4df3-8c30-57cfb090f553?source=cve
