Unauthenticated WordPress Settings Modification in Hybrid Composer

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

WordPress Hybrid Composer version 1.4.6 and earlier contain a critical authentication bypass vulnerability (CVE-2019-25738, CVSS 9.8) that allows unauthenticated attackers to modify WordPress configuration settings through the hc_ajax_save_option AJAX action. By sending specially crafted POST requests to wp-admin/admin-ajax.php, attackers can manipulate WordPress options without any authentication, most dangerously enabling user registration and setting the default role to administrator. This vulnerability directly enables account takeover and complete WordPress site compromise, affecting any organization using the vulnerable Hybrid Composer plugin version. The lack of proper authentication checks (CWE-306) on administrative functions represents a fundamental security failure that exposes millions of WordPress installations to remote adversarial control.

Casky.ai's 261 matching skills leverage Claude AI's extended reasoning to detect the attack patterns underlying this vulnerability across two critical MITRE ATT&CK phases: Initial Access (TA0004) and Credential Access (TA0006). Practitioners would observe findings related to suspicious unauthenticated AJAX requests to admin-ajax.php with the hc_ajax_save_option parameter, unusual WordPress option modifications bypassing normal admin interfaces, and detection of newly created administrator accounts following exploitation attempts. The platform's skill mapping identifies anomalous authentication patterns—specifically the absence of required authentication tokens or session validation—combined with administrative action execution from untrusted sources. Security teams using Casky would see correlated detections revealing the progression from initial unauthenticated access through to successful privilege escalation and account creation, enabling rapid incident response before attackers establish persistent administrative access.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2019-25738.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2019-25738

Casky has 261 skills that investigate the attack patterns behind CVE-2019-25738. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn