CVE-2025-2798: CWE-269 Improper Privilege Management in XTENDIFY Woffice CRM
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
AI Analysis
Technical Summary
CVE-2025-2798 is an improper privilege management vulnerability (CWE-269) in the Woffice CRM WordPress theme. The flaw arises from a misconfiguration that excludes certain roles incorrectly during registration, allowing unauthenticated users to register with Administrator privileges via custom login forms. This vulnerability enables privilege escalation without authentication and can be leveraged alongside CVE-2025-2797 to bypass user approval mechanisms. The vulnerability affects all versions up to and including 5.4.21. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to gain Administrator-level access to the affected Woffice CRM installations. This compromises the confidentiality, integrity, and availability of the system, potentially allowing full control over the WordPress site and its data. The vulnerability can be combined with another (CVE-2025-2797) to bypass user approval processes, increasing the risk of unauthorized administrative actions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using custom login forms that may trigger this misconfiguration. Monitor vendor communications for updates and apply patches promptly once available. Consider restricting registration capabilities or disabling user registration if not required.
CVE-2025-2798: CWE-269 Improper Privilege Management in XTENDIFY Woffice CRM
Description
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-2798 is an improper privilege management vulnerability (CWE-269) in the Woffice CRM WordPress theme. The flaw arises from a misconfiguration that excludes certain roles incorrectly during registration, allowing unauthenticated users to register with Administrator privileges via custom login forms. This vulnerability enables privilege escalation without authentication and can be leveraged alongside CVE-2025-2797 to bypass user approval mechanisms. The vulnerability affects all versions up to and including 5.4.21. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to gain Administrator-level access to the affected Woffice CRM installations. This compromises the confidentiality, integrity, and availability of the system, potentially allowing full control over the WordPress site and its data. The vulnerability can be combined with another (CVE-2025-2797) to bypass user approval processes, increasing the risk of unauthorized administrative actions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using custom login forms that may trigger this misconfiguration. Monitor vendor communications for updates and apply patches promptly once available. Consider restricting registration capabilities or disabling user registration if not required.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-03-25T18:00:21.111Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f5b1b0bd07c3938bd3a
Added to database: 6/10/2025, 6:54:19 PM
Last enriched: 4/9/2026, 5:16:20 PM
Last updated: 5/9/2026, 6:23:45 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.