CVE-2025-2797: CWE-352 Cross-Site Request Forgery (CSRF) in WofficeIO Woffice Core
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Analysis
Technical Summary
CVE-2025-2797 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Woffice Core plugin for WordPress, specifically all versions up to and including 5.4.21. The vulnerability arises from missing or incorrect nonce validation in the 'woffice_handle_user_approval_actions' function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from authenticated users. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, if executed by a site administrator (or any user with approval privileges), can approve user registrations without proper authorization. This attack requires social engineering to trick the administrator into clicking a malicious link or visiting a crafted webpage, which then triggers the forged request. The vulnerability impacts the confidentiality and integrity of the user approval process by allowing unauthorized user approvals, potentially enabling attackers to gain unauthorized access or escalate privileges within the affected WordPress site. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires no privileges but does require user interaction, and impacts confidentiality and integrity with no effect on availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.
Potential Impact
For European organizations using the Woffice Core plugin in their WordPress environments, this vulnerability poses a risk of unauthorized user approvals, which could lead to unauthorized access to internal resources, data leakage, or privilege escalation within corporate intranets or extranets managed via Woffice. Since Woffice is often used for intranet and collaboration portals, unauthorized user approvals could allow attackers to impersonate legitimate users or gain access to sensitive corporate information. This can undermine trust in internal communications and collaboration platforms, potentially leading to data breaches or compliance violations under regulations such as GDPR. The impact is particularly relevant for organizations with large user bases or those relying heavily on WordPress-based intranet solutions. Although the vulnerability does not directly affect availability, the integrity and confidentiality risks can have significant operational and reputational consequences.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the Woffice Core plugin version 5.4.21 or earlier. Since no official patch links are provided, organizations should monitor the vendor's announcements for a security update addressing this issue. In the interim, administrators should implement the following mitigations: 1) Restrict administrative access to trusted networks and users only, minimizing exposure to social engineering attacks. 2) Educate administrators and privileged users about the risks of clicking on unsolicited links or visiting untrusted websites while logged into the WordPress admin interface. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the user approval endpoints. 4) Consider disabling or restricting the user approval feature if feasible until a patch is available. 5) Audit user approval logs regularly to detect any unauthorized approvals. 6) Implement Content Security Policy (CSP) headers to reduce the risk of CSRF and related attacks. Once a patch is released, apply it promptly and verify nonce validation is correctly enforced in the affected function.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-2797: CWE-352 Cross-Site Request Forgery (CSRF) in WofficeIO Woffice Core
Description
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI-Powered Analysis
Technical Analysis
CVE-2025-2797 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Woffice Core plugin for WordPress, specifically all versions up to and including 5.4.21. The vulnerability arises from missing or incorrect nonce validation in the 'woffice_handle_user_approval_actions' function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from authenticated users. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, if executed by a site administrator (or any user with approval privileges), can approve user registrations without proper authorization. This attack requires social engineering to trick the administrator into clicking a malicious link or visiting a crafted webpage, which then triggers the forged request. The vulnerability impacts the confidentiality and integrity of the user approval process by allowing unauthorized user approvals, potentially enabling attackers to gain unauthorized access or escalate privileges within the affected WordPress site. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires no privileges but does require user interaction, and impacts confidentiality and integrity with no effect on availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.
Potential Impact
For European organizations using the Woffice Core plugin in their WordPress environments, this vulnerability poses a risk of unauthorized user approvals, which could lead to unauthorized access to internal resources, data leakage, or privilege escalation within corporate intranets or extranets managed via Woffice. Since Woffice is often used for intranet and collaboration portals, unauthorized user approvals could allow attackers to impersonate legitimate users or gain access to sensitive corporate information. This can undermine trust in internal communications and collaboration platforms, potentially leading to data breaches or compliance violations under regulations such as GDPR. The impact is particularly relevant for organizations with large user bases or those relying heavily on WordPress-based intranet solutions. Although the vulnerability does not directly affect availability, the integrity and confidentiality risks can have significant operational and reputational consequences.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the Woffice Core plugin version 5.4.21 or earlier. Since no official patch links are provided, organizations should monitor the vendor's announcements for a security update addressing this issue. In the interim, administrators should implement the following mitigations: 1) Restrict administrative access to trusted networks and users only, minimizing exposure to social engineering attacks. 2) Educate administrators and privileged users about the risks of clicking on unsolicited links or visiting untrusted websites while logged into the WordPress admin interface. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the user approval endpoints. 4) Consider disabling or restricting the user approval feature if feasible until a patch is available. 5) Audit user approval logs regularly to detect any unauthorized approvals. 6) Implement Content Security Policy (CSP) headers to reduce the risk of CSRF and related attacks. Once a patch is released, apply it promptly and verify nonce validation is correctly enforced in the affected function.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-03-25T17:47:42.219Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f5b1b0bd07c3938bc81
Added to database: 6/10/2025, 6:54:19 PM
Last enriched: 7/10/2025, 10:46:23 PM
Last updated: 7/28/2025, 10:46:06 AM
Views: 11
Related Threats
CVE-2025-8938: Backdoor in TOTOLINK N350R
MediumCVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.