← Back

CVE-2025-2798

nvd nist
Published: Apr 4, 2025Modified: Aug 8, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: security@wordfence.com (Secondary)

Description

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.

Affected (1)

Products: Xtendify: Woffice
Xtendify
1 product
Woffice
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Woffice
Before 5.4.22

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

Source: security@wordfence.com
Release Notes
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.