Search criteria
1 vulnerability by felipe152
CVE-2025-3906 (GCVE-0-2025-3906)
Vulnerability from cvelistv5 – Published: 2025-04-26 05:34 – Updated: 2026-04-08 17:31
VLAI
Title
Integração entre Eduzz e Woocommerce 1.5.0 - 1.7.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Summary
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin's registration flow to Administrator, which allows any user to create an Administrator account.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| felipe152 | Integração entre Eduzz e Woocommerce |
Affected:
0 , ≤ 1.7.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T13:38:21.291324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T15:34:41.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Integra\u00e7\u00e3o entre Eduzz e Woocommerce",
"vendor": "felipe152",
"versions": [
{
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Integra\u00e7\u00e3o entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027wep_opcoes\u0027 function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin\u0027s registration flow to Administrator, which allows any user to create an Administrator account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:14.104Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb85ed32-c391-45d2-9e86-cb97009210cd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/admin/class-wep-admin.php#L120"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/include/class-wep-webhook.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integracao-entre-eduzz-e-wc-powers/trunk/wep-powers.php#L19"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-25T16:49:12.000Z",
"value": "Disclosed"
}
],
"title": "Integra\u00e7\u00e3o entre Eduzz e Woocommerce 1.5.0 - 1.7.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3906",
"datePublished": "2025-04-26T05:34:24.565Z",
"dateReserved": "2025-04-23T16:37:25.873Z",
"dateUpdated": "2026-04-08T17:31:14.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}