Plattform
wordpress
Komponente
woffice
Behoben in
5.4.22
CVE-2025-2798 describes a critical Authentication Bypass vulnerability affecting Woffice CRM versions from 0.0.0 through 5.4.21. This flaw allows unauthenticated attackers to register with an Administrator role, granting them significant control over the system. A fix is available in version 5.4.22, and users are strongly advised to upgrade immediately.
The impact of CVE-2025-2798 is severe. Successful exploitation allows an attacker to bypass the standard user registration and approval process, directly obtaining an Administrator account. This grants them full administrative privileges, including the ability to create, modify, and delete users, access sensitive data, and potentially compromise the entire WordPress site. The vulnerability’s effectiveness is amplified when combined with CVE-2025-2797, enabling attackers to bypass user approval entirely if they can trick an administrator into performing a specific action, such as clicking a malicious link. This could lead to complete system takeover and data exfiltration.
CVE-2025-2798 was publicly disclosed on 2025-04-04. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Woffice CRM installations.
Organizations using Woffice CRM, particularly those with custom login forms or relying on the standard user registration process, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server are also vulnerable, as a compromise of one site could potentially impact others. Sites using older, unpatched versions of WordPress are also at increased risk due to potential compatibility issues.
• wordpress / composer / npm:
wp plugin list | grep woffice• wordpress / composer / npm:
wp plugin update woffice• wordpress / composer / npm:
grep -r 'excluded_roles' /var/www/html/wp-content/plugins/wooffice-crm/*• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=wooffice_register_userdisclosure
patch
Exploit-Status
EPSS
1.05% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2798 is to immediately upgrade Woffice CRM to version 5.4.22 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Review and restrict access to custom login forms, ensuring proper role exclusion configurations are in place. Implement strict input validation on registration forms to prevent unauthorized role assignments. Monitor WordPress logs for suspicious registration attempts, particularly those associated with Administrator roles. After upgrading, verify the fix by attempting to register a new user with a custom login form and confirming that the user is not automatically assigned the Administrator role.
Aktualisieren Sie das Woffice CRM Theme auf Version 5.4.22 oder höher, um die Authentication Bypass-Schwachstelle zu beheben. Dieses Update behebt die Fehlkonfiguration der ausgeschlossenen Rollen während der Registrierung und verhindert, dass nicht authentifizierte Angreifer sich mit Administrator-Rechten registrieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2798 is a critical vulnerability in Woffice CRM allowing unauthenticated attackers to register with Administrator roles due to a misconfigured registration process.
If you are using Woffice CRM versions 0.0.0 through 5.4.21, you are affected by this vulnerability and must upgrade immediately.
Upgrade Woffice CRM to version 5.4.22 or later to resolve the Authentication Bypass vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories.
Refer to the official Woffice CRM website or WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-2798.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.