CVE-2025-3906

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-3906
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin's registration flow to Administrator, which allows any user to create an Administrator account.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/admin/class-wep-admin.php#L120
https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/include/class-wep-webhook.php#L7
https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/wep-powers.php#L19
https://www.wordfence.com/threat-intel/vulnerabilities/id/eb85ed32-c391-45d2-9e86-cb97009210cd?source=cve
Configurations

No configuration.

History

29 Apr 2025, 13:52

Type Values Removed Values Added
Summary
  • (es) El complemento Integração entre Eduzz e Woocommerce para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de comprobación de la función 'wep_opcoes' en todas las versiones hasta la 1.7.5 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, editen el rol de registro predeterminado dentro del flujo de registro del complemento a Administrador, lo que permite a cualquier usuario crear una cuenta de Administrador.

26 Apr 2025, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-26 06:15

Updated : 2025-04-29 13:52

NVD link : CVE-2025-3906

Mitre link : CVE-2025-3906

CVE.ORG link : CVE-2025-3906

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization