Cross-Site Request Forgery Vulnerability in Woffice Core Plugin for WordPress
CVE-2025-2797
5.4MEDIUM
What is CVE-2025-2797?
The Woffice Core plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This vulnerability enables attackers to forge a request that can approve user registrations if they successfully trick a site administrator into executing a specific action. This poses a significant risk as it could allow malicious entities to create unauthorized user accounts on affected WordPress sites.
Affected Version(s)
Woffice Core * <= 5.4.21