PT-2025-14890 · WordPress · Woffice Crm Theme
Friderika Baranyai
·
Published
2025-04-04
·
Updated
2025-08-08
·
CVE-2025-2798
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Woffice CRM theme for WordPress versions up to, and including, 5.4.21
Description
The issue is due to a misconfiguration of excluded roles during registration, making it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with other actions to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
Recommendations
For versions up to, and including, 5.4.21, update to a version that fixes the misconfiguration of excluded roles during registration to prevent Authentication Bypass.
As a temporary workaround, consider disabling custom login forms until a patch is available.
Restrict access to the registration process to minimize the risk of exploitation.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woffice Crm Theme