平台
wordpress
组件
woocommerce-multiple-addresses
修复版本
1.0.8
CVE-2025-4335 is a Privilege Escalation vulnerability discovered in the Woocommerce Multiple Addresses plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their privileges to that of an administrator, gaining unauthorized control over the WordPress site. This vulnerability impacts versions 1.0.0 through 1.0.7.1, and a patch is expected to be released by the plugin developer.
Successful exploitation of CVE-2025-4335 allows an attacker to bypass access controls and assume the role of a WordPress administrator. This grants them complete control over the website, including the ability to modify content, install plugins, change user permissions, and access sensitive data. The potential impact extends to all data stored within the WordPress installation, including customer information, order details, and financial records. This vulnerability is particularly concerning because it requires only authenticated access, making it easier to exploit than vulnerabilities requiring anonymous access. The blast radius is significant, potentially impacting the entire WordPress site and its users.
CVE-2025-4335 was publicly disclosed on 2025-05-07. The vulnerability's ease of exploitation, combined with the widespread use of WordPress and the Woocommerce Multiple Addresses plugin, suggests a potential for active exploitation. Currently, there are no publicly available proof-of-concept exploits, but the vulnerability is being monitored. Its inclusion in the NVD is pending.
Websites utilizing the Woocommerce Multiple Addresses plugin, particularly those with Subscriber-level users who have access to modify user meta data, are at risk. Shared WordPress hosting environments where users have limited control over plugin updates are also particularly vulnerable. Any WordPress site using versions 1.0.0 through 1.0.7.1 of the plugin is potentially exposed.
• wordpress / composer / npm:
grep -r 'save_multiple_shipping_addresses' /var/www/html/wp-content/plugins/woocommerce-multiple-addresses/• wordpress / composer / npm:
wp plugin list --status=active | grep woocommerce-multiple-addresses• wordpress / composer / npm:
wp plugin update woocommerce-multiple-addresses --alldisclosure
漏洞利用状态
EPSS
0.26% (49% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-4335 is to upgrade to a patched version of the Woocommerce Multiple Addresses plugin as soon as it becomes available. Until a patch is released, consider restricting access to administrative functions for users with Subscriber roles. Implement a Web Application Firewall (WAF) rule to block requests to the savemultipleshipping_addresses() function with suspicious user meta data. Regularly review user roles and permissions to ensure that no unauthorized users have elevated privileges. After upgrading, confirm the fix by attempting to elevate a Subscriber account to administrator privileges and verifying that the action is denied.
Actualice el plugin Woocommerce Multiple Addresses a la última versión disponible para mitigar la vulnerabilidad de escalada de privilegios. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-4335 is a HIGH severity vulnerability in the Woocommerce Multiple Addresses plugin for WordPress, allowing authenticated subscribers to gain administrator privileges.
If you are using Woocommerce Multiple Addresses version 1.0.0 through 1.0.7.1, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Woocommerce Multiple Addresses plugin as soon as it becomes available. Until then, restrict Subscriber access to administrative functions.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and patch release.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。