Cross-Site Request Forgery Vulnerability in Simple Registration for WooCommerce by WordPress
CVE-2025-12095

8.8HIGH

Key Information:

Vendor: WordPress
Status: Simple Registration For WooCommerce
Vendor: CVE Published:; 25 October 2025

What is CVE-2025-12095?

The Simple Registration for WooCommerce plugin for WordPress is susceptible to Cross-Site Request Forgery due to a lack of nonce validation on the role requests admin page handler. This flaw enables unauthenticated attackers to leverage this vulnerability to approve pending role requests without authorization, allowing them to escalate user privileges by tricking an admin into taking action such as clicking on a malicious link. This presents a significant risk to site security, necessitating prompt action from users to mitigate potential exploits.

Affected Version(s)

Simple Registration for WooCommerce * <= 1.5.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-si...

https://plugins.trac.wordpress.org/changeset/3383124

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2025
Vulnerability Reserved
Oct 22, 2025

Credit

Jonas Benjamin Friedli

JSON