CVE-2025-30772 describes a missing authorization vulnerability in the WPClever WPC Smart Upsell Funnel for WooCommerce plugin (versions up to 3.0.4). This vulnerability allows an attacker with limited privileges to escalate their privileges due to insufficient authorization checks in the plugin's code. The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network attack vector, low attack complexity, required privileges at a low level, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. The vulnerability is published but no patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability could allow an attacker with low privileges to escalate their privileges, potentially gaining administrative control or access to sensitive data within the WooCommerce environment using the WPC Smart Upsell Funnel plugin. The impact affects confidentiality, integrity, and availability of the affected system. There are no known active exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider restricting access to the plugin's administrative functions and limiting user privileges to reduce risk.