Authentication Bypass in Woffice CRM Theme for WordPress
CVE-2025-2798
9.8CRITICAL
What is CVE-2025-2798?
The Woffice CRM theme for WordPress contains a vulnerability that allows unauthenticated attackers to exploit a misconfiguration related to user roles during registration. Any user accessing a custom login form can potentially register with administrative privileges, posing significant risks to site security. This vulnerability is particularly dangerous when combined with other security weaknesses, enabling attackers to sidestep standard user approval processes if they can manipulate administrators into unwitting actions.
Affected Version(s)
Woffice CRM * <= 5.4.21