CVE-2019-25738
WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.
| CWE | CWE-306 |
| Vendor | framework-y |
| Product | hybrid composer |
| Published | Jun 4, 2026 |
| Last Updated | Jun 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for framework-y hybrid composer
Be the first to know when new critical vulnerabilities affecting framework-y hybrid composer are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
framework-y / Hybrid Composer
1.4.6
References
exploit-db.com: https://www.exploit-db.com/exploits/47154 wordpress.framework-y.com: http://wordpress.framework-y.com wordpress.framework-y.com: http://wordpress.framework-y.com/hybrid-composer/ labs.sucuri.net: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-hybrid-composer-unauthenticated-settings-change
Credits
yasin