CVE-2025-3063

Name of the Vulnerable Software and Affected Versions Shopper Approved Reviews plugin for WordPress versions 2.0 through 2.1

Description The issue is related to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax callback update sa option() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. The attackers can leverage this to update the default role for registration to administrator and enable user registration, allowing them to gain administrative user access to a vulnerable site.

Recommendations For versions 2.0 through 2.1, consider disabling the ajax callback update sa option() function until a patch is available to prevent unauthorized modification of data. Restrict access to the WordPress site to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.