CVE-2025-3852

Name of the Vulnerable Software and Affected Versions WPshop 2 – E-Commerce plugin for WordPress versions 2.0.0 through 2.6.0

Description The issue is related to privilege escalation via account takeover. This occurs because the plugin does not properly validate a user's identity before updating their details, such as email and password, through the update() function. As a result, authenticated attackers with subscriber-level access or higher can change arbitrary users' passwords, including those of administrators, and gain access to their accounts.

Recommendations For WPshop 2 – E-Commerce plugin for WordPress versions 2.0.0 through 2.6.0, consider disabling the update() function until a patch is available to prevent attackers from changing user passwords. Restrict access to the plugin's user management features to minimize the risk of exploitation. Avoid using the plugin until a fixed version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.