CVE-2025-2797 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability affecting all versions of the Woffice Core plugin for WordPress up to and including 5.4.21. The root cause is the absence or incorrect implementation of nonce validation in the 'woffice_handle_user_approval_actions' function, which handles user approval actions within the plugin. Nonces are security tokens used in WordPress to verify that requests originate from legitimate users and not from malicious third parties. Without proper nonce checks, attackers can craft malicious URLs or forms that, when visited or submitted by an authenticated administrator, cause unintended actions such as approving user registrations. This vulnerability requires no prior authentication by the attacker but does require that a site administrator be tricked into clicking a malicious link or performing an action that triggers the forged request. The impact includes unauthorized approval of user registrations, potentially allowing attackers to gain elevated privileges or unauthorized access to the site. The CVSS v3.1 base score is 5.4, reflecting a network attack vector, low attack complexity, no privileges required, but requiring user interaction. The vulnerability affects confidentiality and integrity but does not impact availability. No public exploits are known at this time, and no official patches have been linked yet. However, the issue is publicly disclosed and should be addressed promptly to prevent exploitation.

The primary impact of this vulnerability is unauthorized approval of user registrations by attackers without authentication, which can lead to unauthorized access to the WordPress site or intranet managed by Woffice Core. This undermines the integrity of user management and could allow attackers to escalate privileges or perform further malicious activities under the guise of legitimate users. Confidentiality is impacted as unauthorized users may gain access to sensitive information intended only for approved users. Availability is not directly affected by this vulnerability. Organizations relying on Woffice Core for collaboration or intranet functionality may face increased risk of account compromise and insider threat scenarios. The attack requires social engineering to trick administrators, but once successful, it can bypass normal approval workflows, potentially leading to broader security incidents or data breaches.

To mitigate this vulnerability, organizations should immediately verify if they are using Woffice Core versions up to 5.4.21 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement manual nonce validation in the 'woffice_handle_user_approval_actions' function to ensure that all approval requests include valid nonces before processing. Additionally, administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or untrusted sources. Implementing Web Application Firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the approval endpoint can provide temporary protection. Restricting administrative access to trusted networks or VPNs can reduce exposure. Regular audits of user approvals and registrations can help detect unauthorized approvals early. Finally, monitoring logs for unusual approval activity and enabling multi-factor authentication for admin accounts can further reduce risk.