CVE-2025-4335 is a high-severity vulnerability affecting the Woocommerce Multiple Addresses plugin for WordPress, developed by n3wnormal. This plugin allows users to manage multiple shipping addresses within Woocommerce, a widely used e-commerce platform on WordPress. The vulnerability arises from improper privilege management (CWE-269) in the save_multiple_shipping_addresses() function. Specifically, the function does not sufficiently restrict which user meta fields can be updated by authenticated users. As a result, attackers with as low as Subscriber-level access can exploit this flaw to escalate their privileges to that of an administrator. This escalation occurs without requiring user interaction and can be executed remotely over the network (AV:N), with low attack complexity (AC:L). The vulnerability impacts all versions up to and including 1.0.7.1 of the plugin. The CVSS v3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, as an attacker gaining admin privileges can fully compromise the WordPress site, including installing malicious plugins, modifying content, stealing sensitive data, or disrupting services. No public exploits are known at this time, but the ease of exploitation and the widespread use of Woocommerce in e-commerce sites make this a significant threat. The lack of available patches at the time of publication further increases risk for unpatched sites.

For European organizations, this vulnerability poses a severe risk, especially for those operating e-commerce platforms using WordPress and the Woocommerce Multiple Addresses plugin. Successful exploitation can lead to full site compromise, data breaches involving customer personal and payment information, and disruption of online sales operations. This can result in financial losses, reputational damage, and regulatory penalties under GDPR due to unauthorized access to personal data. Small and medium enterprises (SMEs) that rely on Woocommerce for their online storefronts are particularly vulnerable, as they may lack dedicated security teams to promptly detect and remediate such issues. Additionally, compromised sites can be used as launchpads for further attacks within the network or for distributing malware to customers, amplifying the impact. The threat also extends to managed service providers hosting multiple client sites, where one compromised site could jeopardize others.

European organizations should immediately audit their WordPress installations to identify the presence of the Woocommerce Multiple Addresses plugin and verify the version in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate the attack surface. Implement strict access controls to limit Subscriber-level accounts and review user roles to ensure no unnecessary privileges are granted. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the save_multiple_shipping_addresses() function. Monitor logs for unusual activities indicative of privilege escalation attempts. Regularly back up WordPress sites and databases to enable rapid recovery in case of compromise. Once a patch is available, prioritize prompt application of updates. Additionally, consider implementing multi-factor authentication (MFA) for all administrative accounts to reduce the risk of unauthorized access post-exploitation.