Platform
wordpress
Component
woffice
Fixed in
5.4.22
CVE-2025-2798 describes a critical Authentication Bypass vulnerability affecting Woffice CRM versions from 0.0.0 through 5.4.21. This flaw allows unauthenticated attackers to register with an Administrator role, granting them significant control over the system. A fix is available in version 5.4.22, and users are strongly advised to upgrade immediately.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to bypass the standard user registration and approval process, directly gaining Administrator privileges. This grants them complete control over the Woffice CRM system, including access to sensitive customer data, modification of configurations, and potentially compromise of the entire WordPress installation. The vulnerability's ease of exploitation, combined with the high privileges granted, makes it a significant risk. It's particularly concerning that this can be chained with CVE-2025-2797 to further bypass security measures if an administrator is tricked into taking an action.
CVE-2025-2798 was publicly disclosed on 2025-04-04. The CVSS score of 9.8 (CRITICAL) reflects the ease of exploitation and the high impact of gaining Administrator privileges. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and severity. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
1.05% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Woffice CRM to version 5.4.22 or later, which contains the fix for this authentication bypass. If upgrading immediately is not possible, consider temporarily disabling user registration or implementing stricter role-based access controls. Review existing user accounts for any suspicious Administrator accounts that may have been created without proper authorization. Implement a Web Application Firewall (WAF) rule to block requests attempting to register users with privileged roles. Monitor WordPress logs for unusual registration attempts.
Update the Woffice CRM theme to version 5.4.22 or higher to fix the authentication bypass vulnerability. This update addresses the incorrect configuration of excluded roles during registration, preventing unauthenticated attackers from registering with administrator privileges.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2798 is a critical vulnerability in Woffice CRM allowing unauthenticated attackers to register with Administrator roles due to a misconfigured registration process.
If you are using Woffice CRM versions 0.0.0 through 5.4.21, you are affected by this vulnerability and must upgrade immediately.
Upgrade Woffice CRM to version 5.4.22 or later to resolve the Authentication Bypass vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories.
Refer to the official Woffice CRM website or WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-2798.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.