CVE-2025-2266

Name of the Vulnerable Software and Affected Versions Checkout Mestres do WP for WooCommerce plugin for WordPress versions 8.6.5 through 8.7.5

Description The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function. This enables unauthenticated attackers to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access.

Recommendations For versions 8.6.5 through 8.7.5, consider disabling the cwmpUpdateOptions() function until a patch is available to prevent unauthorized updates to site options. Restrict access to user registration and ensure that default roles are set appropriately to minimize the risk of exploitation. Update to a version that includes a fix for this issue when available.