CVE-2025-2266

CVE-2025-2266 is a high-severity vulnerability in the Checkout Mestres do WP for WooCommerce plugin for WordPress, affecting versions 8.6.5 through 8.7.5. It stems from a missing capability check in the cwmpUpdateOptions() function, enabling unauthorized modification of data that results in privilege escalation. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization), published on 2025-03-29.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By calling the vulnerable function, they can update arbitrary WordPress site options, such as changing the default role for new user registrations to administrator and enabling registration. This allows attackers to self-register with administrative privileges, achieving full site compromise including high confidentiality, integrity, and availability impacts.

Advisories and related resources, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/9834fd5b-8445-4c6f-95f9-f0df785c65f8?source=cve, the plugin's WordPress.org page at https://wordpress.org/plugins/checkout-mestres-wp/, and vulnerable code at https://plugins.trac.wordpress.org/browser/checkout-mestres-wp/trunk/backend/core/base/ajax.php#L31, offer details on detection and remediation for affected sites.