CVE-2025-15370 is an Insecure Direct Object Reference (IDOR) in the Shield: Blocks Bots, Protects Users, and Prevents Security Breaches WordPress plugin.
The issue is exposed in the MfaGoogleAuthToggle flow and related MFA configuration handlers, where a user-controlled user_id parameter is used to load and modify another user's MFA settings without sufficient authorization.
Why is it critical/important?
It permits authenticated attackers with Subscriber-level access or higher to disable Google Authenticator for arbitrary users.
This undermines multi-factor authentication protections and enables further account takeover or privilege escalation.
In a WordPress environment, compromising MFA for an administrative account significantly raises the risk of site-wide compromise.
What systems/versions are affected?
All versions of the Shield plugin up to and including 21.0.9 are affected.
Any WordPress site running an affected Shield version and allowing authenticated users access to the plugin’s MFA configuration endpoints is at risk.
Technical Details
Root cause analysis
The vulnerability is caused by missing authorization checks on a user-controlled user_id parameter.
In src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigForm.php, the code loaded a user by ID from action_data['user_id'] or defaulted to the current user, without verifying that the requesting user was allowed to act on that ID.
In src/lib/src/ActionRouter/Actions/Render/Components/UserMfa/ConfigEdit.php, the code likewise loaded a user by supplied ID without checking whether the current user was the same user or an administrator.
Attack vector and exploitation conditions
Attacker requirements:
authenticated access to the WordPress site
Subscriber-level access or above
knowledge of or ability to guess the target user’s ID
Exploitation occurs by submitting a request containing a manipulated user_id parameter to the MFA configuration or edit endpoints.
Because the plugin did not validate that the requesting user was authorized to access the requested user’s MFA configuration, the request would be processed for the target account.
Security implications
Targeted disabling of Google Authenticator for arbitrary user accounts.
Bypass of MFA controls on privileged accounts.
Potential for administrative account compromise through subsequent credential abuse.
Loss of integrity and confidentiality for user accounts protected by the plugin’s MFA features.
Patch Analysis
What code changes were made?
ConfigForm.php:
Added retrieval of the current authenticated user using $WPU->getCurrentWpUser().
Parsed the requested user ID from $this->action_data['user_id'], defaulting to 0.
Added an authorization check: if the requested ID is non-zero and does not match the current user, require self::con()->this_req->is_security_admin.
If the check fails, throw ActionException('Invalid profile request.').
Load the target user only if the request is valid; otherwise, default to the current user.
ConfigEdit.php:
Added retrieval of current user and current user ID.
Parsed requested user ID from action data.
Added an authorization check: if requested user differs and current user is not an administrator, throw ActionException('Invalid profile request.').
Load the user conditionally based on the validated requested ID.
How do these changes fix the vulnerability?
They convert a previously unchecked direct object reference into an authorized one.
The patch ensures that non-admin users can only access their own MFA configuration.
Only security administrators or regular administrators are allowed to act on another user’s MFA settings.
Security improvements introduced
Explicit authorization decision before loading a target user.
Default handling that prevents blind acceptance of arbitrary user_id values.
Clear failure path through exception handling for unauthorized requests.
Proof of Concept (PoC) Guide
Prerequisites for exploitation
WordPress site with Shield plugin version 21.0.9 or earlier.
Authenticated account with Subscriber-level access or higher.
Ability to send requests to the plugin’s MFA configuration endpoints.
Target account ID to act against.
Step-by-step exploitation approach
Log in as a Subscriber or another low-privileged user.
Determine a target user ID, for example an administrator account ID.
Send a request to the Shield MFA configuration endpoint containing user_id=<target_id> in the action payload.
Use the endpoint responsible for MFA configuration or editing to disable Google Authenticator for the target user.
Expected behavior vs exploited behavior
Expected behavior:
Only the currently authenticated user can modify their own MFA settings.
Access to another user’s MFA configuration should be denied unless the requester is an admin/security admin.
Exploited behavior:
The plugin accepts the supplied user_id and allows the attacker to modify or disable MFA for the target account.
How to verify the vulnerability exists
Attempt the described request as a non-admin user.
If the request succeeds and the target user’s Google Authenticator setting is changed or disabled, the vulnerability is present.
If the plugin returns an "Invalid profile request." error after patching, the authorization fix is effective.
Recommendations
Mitigation strategies
Update Shield to a patched version after 21.0.9.
If update is not immediately possible, restrict access to the plugin’s administrative endpoints and monitor authenticated user activity.
Remove or disable unused MFA management functionality for lower-privileged users.
Detection methods
Monitor logs for requests containing user_id targeting Shield MFA endpoints.
Alert on MFA configuration changes initiated by non-admin accounts.
Use vulnerability scanners or plugin-specific signatures to detect vulnerable Shield versions.
Best practices to prevent similar issues
Never trust user-supplied object identifiers without authorization checks.
Enforce “same user or admin” checks when accessing user-specific resources.
Prefer current user context over user-supplied IDs for sensitive operations.
Implement explicit capability checks and fail closed when authorization cannot be confirmed.
Regularly review access control logic for user management and authentication flows.
Frequently asked questions about CVE-2025-15370
What is CVE-2025-15370?
CVE-2025-15370 is a security vulnerability. This security advisory provides detailed technical analysis of the vulnerability, exploit methodology, affected versions, and complete remediation guidance.
Is there a PoC (proof of concept) for CVE-2025-15370?
Yes. This writeup includes proof-of-concept details and a technical exploit breakdown for CVE-2025-15370. Review the analysis sections above for the PoC walkthrough and code examples.
How does CVE-2025-15370 get exploited?
The technical analysis section explains the vulnerability mechanics, attack vectors, and exploitation methodology. PatchLeaks publishes this information for defensive and educational purposes.
What products and versions are affected by CVE-2025-15370?
CVE-2025-15370 — check the affected-versions section of this advisory for specific version ranges, vulnerable configurations, and compatibility information.
How do I fix or patch CVE-2025-15370?
The patch analysis section provides guidance on updating to patched versions, applying workarounds, and implementing compensating controls.
What is the CVSS score for CVE-2025-15370?
The severity rating and CVSS scoring for CVE-2025-15370 is documented in the vulnerability details section. Refer to the NVD entry for the current authoritative score.