CVE-2025-6730 is a security vulnerability identified in the Bonanza – WooCommerce Free Gifts Lite plugin for WordPress, developed by amans2k. This vulnerability is classified under CWE-862, which corresponds to Missing Authorization. The issue arises due to the absence of a proper capability check in the xlo_optin_call() function across all versions up to and including 1.0.0 of the plugin. Specifically, this flaw allows authenticated users with as low as Subscriber-level privileges to modify the opt-in status to 'success' without proper authorization. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have some level of authenticated access (PR:L), but no higher privileges such as Administrator are necessary. The impact is limited to integrity, as the attacker can alter data related to opt-in status, but confidentiality and availability remain unaffected. The CVSS v3.1 base score is 4.3, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been published at the time of this report. The vulnerability could be leveraged to manipulate marketing or promotional data, potentially skewing analytics or triggering unintended promotional benefits. Since WooCommerce is a widely used e-commerce platform on WordPress, and this plugin is designed to manage free gift offers, the vulnerability could be abused to fraudulently claim gifts or manipulate opt-in statuses, undermining business processes and customer trust. However, the requirement for authenticated access limits exploitation to users who have already registered or have some level of access to the WordPress site.

For European organizations using WordPress with the Bonanza – WooCommerce Free Gifts Lite plugin, this vulnerability could lead to unauthorized modification of promotional opt-in statuses, potentially resulting in fraudulent claims of free gifts or manipulation of marketing data. This can cause financial losses, reputational damage, and erosion of customer trust. Although the vulnerability does not directly impact confidentiality or availability, the integrity compromise could affect business operations and marketing analytics. Organizations in sectors such as retail, e-commerce, and marketing agencies that rely on WooCommerce for customer engagement are particularly at risk. Given the medium severity and the requirement for authenticated access, the threat is more relevant to organizations with open or loosely controlled user registration policies. Additionally, GDPR considerations around data integrity and customer consent may be implicated if opt-in statuses are manipulated without proper authorization, potentially leading to compliance issues.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence of the Bonanza – WooCommerce Free Gifts Lite plugin, especially versions up to 1.0.0. Until an official patch is released, organizations should consider the following specific actions: 1) Restrict user registration and limit Subscriber-level access to trusted users only, reducing the risk of unauthorized exploitation. 2) Implement additional access controls or custom capability checks on the xlo_optin_call() function by applying temporary code patches or using WordPress hooks to enforce authorization. 3) Monitor logs for unusual changes to opt-in statuses or free gift claims to detect potential exploitation attempts. 4) Disable or remove the plugin if it is not essential to business operations. 5) Engage with the plugin vendor or community to track the release of official patches and apply them promptly once available. 6) Educate site administrators and users about the risks of unauthorized access and encourage strong password policies and multi-factor authentication to reduce the likelihood of compromised accounts.