Overview
A critical security vulnerability has been discovered in the Woffice CRM WordPress theme, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2798, this flaw allows unauthenticated users to gain Administrator-level access through a misconfiguration in the user registration process.
Technical Details
The vulnerability is rooted in improper privilege management (CWE-269). Specifically, a misconfiguration involving excluded roles during registration enables attackers to exploit custom login forms. If these forms are in use, unauthenticated users may register accounts with Administrator privileges.
Even more concerning, this issue can be compounded when combined with CVE-2025-2797, which may allow bypassing the user approval process if an Administrator is tricked into taking certain actions, such as clicking a malicious link.
Severity and CVSS Score
This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means:
- Attack Vector: Network-based
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High on confidentiality, integrity, and availability
Impact
The ability for unauthenticated users to register as Administrators poses a severe threat. Attackers could fully compromise the site by gaining control over its administrative features. The combination with other vulnerabilities further increases the risk, potentially enabling full site takeover with little to no user interaction.
Mitigation Steps
- Update Immediately: Upgrade to version 5.4.22 or later of the Woffice CRM theme.
- Audit Custom Login Forms: Review and secure any custom user registration forms in use.
- Review User Roles: Check for any suspicious administrator accounts created recently.
- Educate Administrators: Train site admins to avoid clicking unknown or suspicious links.
References
Credits
Thanks to Friderika Baranyai for responsibly disclosing this issue.
Leave a Reply