CVE-2025-6380

CRITICAL 9.8

ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.

CWE	CWE-862
Vendor	onlyoffice
Product	onlyoffice docs
Published	Jul 24, 2025
Last Updated	Jul 24, 2025

Stay Ahead of the Next One

Get instant alerts for onlyoffice onlyoffice docs

Be the first to know when new critical vulnerabilities affecting onlyoffice onlyoffice docs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

onlyoffice / ONLYOFFICE Docs

1.1.0 ≤ 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/608b0506-074b-4df3-8c30-57cfb090f553?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/views/class-onlyoffice-plugin-callback.php#L57 wordpress.org: https://wordpress.org/plugins/onlyoffice/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/class-onlyoffice-plugin-public.php#L111

Credits

Kenneth Dunn