{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2797", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-25T17:47:42.219Z", "datePublished": "2025-04-04T07:00:12.004Z", "dateUpdated": "2026-04-08T16:37:10.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:10.874Z"}, "affected": [{"vendor": "WofficeIO", "product": "Woffice Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.21", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1665f2d0-899b-4f9b-91b1-e5799c3b4d3d?source=cve"}, {"url": "https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-04-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-04T13:19:53.241348Z", "id": "CVE-2025-2797", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T13:22:24.992Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2797", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-04T13:19:53.241348Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T13:20:05.108Z"}}], "cna": {"title": "Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "WofficeIO", "product": "Woffice Core", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.4.21"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1665f2d0-899b-4f9b-91b1-e5799c3b4d3d?source=cve"}, {"url": "https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422"}], "descriptions": [{"lang": "en", "value": "The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-09T19:27:42.586Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2797", "state": "PUBLISHED", "dateUpdated": "2025-06-09T19:27:42.586Z", "dateReserved": "2025-03-25T17:47:42.219Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-04T07:00:12.004Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xtendify:woffice:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DF2CF954-7216-4D4A-9BB4-A4046F930A47", "versionEndExcluding": "5.4.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Woffice Core para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 5.4.21 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta de nonce en la funci\u00f3n 'woffice_handle_user_approval_actions'. Esto permite que atacantes no autenticados aprueben el registro de cualquier usuario mediante una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-2797", "lastModified": "2025-08-08T20:06:18.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-04T07:15:42.380", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1665f2d0-899b-4f9b-91b1-e5799c3b4d3d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T02:19:08.712508+00:00", "value": {"mitigation_remediation": ["Update Woffice Core to version 5.4.22 or later, which removes the CSRF weakness.", "If an immediate update is not possible, disable the registration approval workflow or remove the 'approve user' capability from administrators to block the compromised action.", "Apply a temporary manual patch by adding a nonce verification check to the 'woffice_handle_user_approval_actions' function until the official fix is applied.", "Educate site administrators to verify the legitimacy of any links or requests before clicking them."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery allows unauthenticated actors to approve user registrations without admin consent"}, "threat_synthesis": {"affected_systems": "All WordPress sites using Woffice Core up to and including version 5.4.21 are affected. The issue is specific to the WofficeIO Woffice Core plugin.", "description_and_impact": "The flaw is a missing or incorrect nonce check in the plugin\u2019s user approval function, which lets an attacker send a forged request to approve any registration. Since the action occurs when an administrator is prompted to click a link or take an action, the vulnerability can bypass the mandatory approval step and create user accounts that bypass the intended approval workflow.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in CISA\u2019s KEV catalog and requires social engineering to exploit, as the attacker must convince an administrator to trigger the forged request. If exploited, the attacker could gain unauthorized account creation privileges, potentially leading to further attacks if those accounts are used as footholds."}}}}, "created": "2025-07-13T11:06:54.942161+00:00", "updated": "2026-04-28T02:30:18.741973+00:00", "vendors": ["wofficeio", "wofficeio$PRODUCT$woffice_core", "wordpress", "wordpress$PRODUCT$wordpress"]}