A critical flaw in the WordPress Hybrid Composer theme framework lets unauthenticated attackers flip site options and seize administrator accounts via a single AJAX call.
What Is It
CVE-2019-25738 is an unauthenticated settings change vulnerability in WordPress Hybrid Composer version 1.4.6. The hc_ajax_save_option action exposed through admin-ajax.php accepts POST requests without authenticating the caller, allowing arbitrary modification of WordPress options. The weakness is classified as CWE-306 (Missing Authentication for Critical Function).
It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 4.0 base score of 9.3 (CRITICAL). Attack vector is network, complexity is low, and neither privileges nor user interaction are required.
Why It Matters
Because the vulnerable endpoint can rewrite WordPress options without authentication, an attacker can enable public user registration and set the default new-user role to administrator. Any subsequent self-service signup then yields an admin account on the target site; a full account takeover primitive against any WordPress install running the affected theme framework.
A public exploit is documented on Exploit-DB (entry 47154), lowering the bar for opportunistic mass abuse against exposed WordPress hosts.
What's Vulnerable
- Product: WordPress Hybrid Composer (theme framework)
- Affected version per NVD description: 1.4.6
- Vulnerable endpoint:
admin-ajax.phpwithaction=hc_ajax_save_option - Impact: Unauthenticated arbitrary update of WordPress options, leading to admin account takeover via registration role abuse
No CPEs are enumerated in the NVD record, so operators should treat any site running Hybrid Composer as in-scope pending vendor confirmation.
Patch Status
The NVD record (published 2026-06-04, status: Deferred) does not list a fixed version or vendor patch advisory. The CISA KEV catalog entry supplied with this brief is empty, so there is no KEV-confirmed active exploitation flag or federal Required Action attached to this CVE at the time of writing.
Operators running Hybrid Composer 1.4.6 should:
- Remove or disable the Hybrid Composer theme/framework until a vendor fix is confirmed.
- Block unauthenticated POSTs carrying
action=hc_ajax_save_optiontoadmin-ajax.phpat the WAF or web server. - Audit
wp_optionsfor unexpectedusers_can_register=1anddefault_role=administratorsettings, and review the user table for unauthorized admin accounts.