Authentication Bypass in Woffice CRM Theme for WordPress
CVE-2025-2798

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
4 April 2025

What is CVE-2025-2798?

The Woffice CRM theme for WordPress contains a vulnerability that allows unauthenticated attackers to exploit a misconfiguration related to user roles during registration. Any user accessing a custom login form can potentially register with administrative privileges, posing significant risks to site security. This vulnerability is particularly dangerous when combined with other security weaknesses, enabling attackers to sidestep standard user approval processes if they can manipulate administrators into unwitting actions.

Affected Version(s)

Woffice CRM * <= 5.4.21

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Friderika Baranyai
.
The Cyber Security Vulnerability Database.