The vulnerability identified as CVE-2025-4335 affects the n3wnormal Woocommerce Multiple Addresses plugin for WordPress, which is widely used to manage multiple shipping addresses in e-commerce stores. The core issue is improper privilege management (CWE-269) due to insufficient validation and restrictions on user meta data updates within the save_multiple_shipping_addresses() function. This function allows authenticated users with Subscriber-level access or higher to modify user meta fields that should be restricted, enabling them to escalate their privileges to that of an administrator. The vulnerability impacts all versions up to and including 1.0.7.1. The CVSS 3.1 base score of 8.8 reflects a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker only needs to be authenticated with minimal privileges to fully compromise the site, gaining administrative control. The vulnerability is particularly dangerous because it allows full control over the WordPress environment, including the ability to install malicious plugins, modify content, steal data, or disrupt service. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and thus likely to be targeted soon. The plugin’s popularity in e-commerce environments makes this a critical risk for online retailers using WordPress and Woocommerce.

The impact of CVE-2025-4335 is severe for organizations running WordPress sites with the vulnerable Woocommerce Multiple Addresses plugin. Successful exploitation grants attackers administrative privileges, enabling full control over the website. This can lead to data breaches involving customer information, payment data, and internal business data. Attackers can also deface websites, inject malware, or use the compromised site as a launchpad for further attacks within the network. For e-commerce businesses, this can result in financial losses, reputational damage, regulatory penalties, and operational disruption. The vulnerability affects all organizations using this plugin regardless of size, but those with high traffic or sensitive customer data are at greater risk. Since the attack requires only authenticated access at a low privilege level, insider threats or compromised user accounts can be leveraged easily. The lack of user interaction requirement and network exploitability further increase the threat’s reach and potential damage.

To mitigate CVE-2025-4335, organizations should immediately verify if they use the n3wnormal Woocommerce Multiple Addresses plugin and identify the version installed. If possible, update to a patched version once released by the vendor. Until a patch is available, restrict access to the plugin’s functionality by limiting user roles that can interact with shipping address features, especially removing Subscriber-level users if not necessary. Implement strict role-based access controls and audit user permissions regularly. Monitor logs for unusual changes to user meta data or privilege escalations. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the save_multiple_shipping_addresses() function. Consider disabling or removing the plugin if it is not essential. Additionally, enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised accounts being leveraged for privilege escalation. Regularly back up WordPress sites and test restoration procedures to recover quickly from potential compromises.