Authentication Bypass in Woffice CRM Theme for WordPress
CVE-2025-2798

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Woffice Crm
Vendor: CVE Published:; 4 April 2025

What is CVE-2025-2798?

The Woffice CRM theme for WordPress contains a vulnerability that allows unauthenticated attackers to exploit a misconfiguration related to user roles during registration. Any user accessing a custom login form can potentially register with administrative privileges, posing significant risks to site security. This vulnerability is particularly dangerous when combined with other security weaknesses, enabling attackers to sidestep standard user approval processes if they can manipulate administrators into unwitting actions.

Affected Version(s)

Woffice CRM * <= 5.4.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://hub.woffice.io/woffice/changelog#april-1st-2025-v...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2025
Vulnerability Reserved
Mar 25, 2025

Credit

Friderika Baranyai