CVE-2025-2266 CRITICAL

CVE-2025-2266: Checkout Mestres do WP for WooCommerce 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update

Vendor Mestresdowp
Product Checkout Mestres do WP for WooCommerce
Weakness CWE-862 · Missing authorization
Published March 29, 2025
Last update March 31, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Explanation of Vulnerability in Simple Terms

02Summary

Checkout Mestres do WP for WooCommerce versions 8.6.5 through 8.7.5 lack proper authorization checks, allowing unauthenticated attackers to perform sensitive actions without permission. An attacker can read, modify, or delete data and functionality on the affected site over the network without needing valid credentials or user interaction. This is a critical vulnerability affecting WooCommerce checkout operations.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and WooCommerce checkout functionality without authentication.

Potential impact on your site

04Site Impact

Attackers can compromise customer data, orders, and payment information without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 29, 2025 CVE published
March 31, 2025 Record updated