CVE-2025-30772
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-30772 is a missing authorization vulnerability (CWE-862) in the WPClever WPC Smart Upsell Funnel for WooCommerce plugin, which enables privilege escalation. The issue affects all versions of the plugin up to and including 3.0.4. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A low-privileged authenticated user, such as a subscriber, can exploit this vulnerability over the network without user interaction. Successful exploitation allows arbitrary option updates, leading to privilege escalation, potentially granting the attacker administrative control over the WordPress site.
The Patchstack advisory details the vulnerability as an arbitrary option update issue and recommends updating to a patched version beyond 3.0.4 to mitigate the risk.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authorization flaw allowing low-privileged authenticated users to perform arbitrary option updates, directly resulting in privilege escalation to administrative control on the WordPress site.