9.8
CVE-2025-2798
- EPSS 0.62%
- Veröffentlicht 04.04.2025 13:44:36
- Zuletzt bearbeitet 08.08.2025 20:03:09
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Woffice <= 5.4.21 - Authentication Bypass via Registration Role
Woffice <= 5.4.21 - Authentication Bypass via Registration Role
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
Mögliche Gegenmaßnahme
Woffice CRM: Update to version 5.4.22, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Theme
≫
Produkt
Woffice CRM
Version
*-5.4.21
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.62% | 0.447 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd6169b-bc94-4642-8975-2e96bc01576f?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd6169b-bc94-4642-8975-2e96bc01576f