CVE-2025-6730 identifies a missing authorization vulnerability (CWE-862) in the Bonanza – WooCommerce Free Gifts Lite plugin for WordPress, versions up to and including 1.0.0. The vulnerability arises because the xlo_optin_call() function lacks a capability check, allowing any authenticated user with at least Subscriber-level access to manipulate the opt-in status to 'success'. This unauthorized modification can affect the integrity of the data related to user opt-in statuses, potentially skewing marketing or promotional mechanisms dependent on this status. The vulnerability does not expose confidential information nor does it allow denial of service, but it undermines trust in the plugin's data handling. The attack vector is network-based (remote), requiring only low privileges (authenticated Subscriber or higher), and no user interaction is necessary. The vulnerability is present in all versions of the plugin up to 1.0.0, and no patches or fixes have been published at the time of reporting. No known exploits have been observed in the wild, but the flaw could be leveraged by malicious authenticated users or compromised accounts to manipulate opt-in data. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but acknowledging the integrity impact and ease of exploitation by low-privilege authenticated users.

The primary impact of CVE-2025-6730 is on data integrity within affected WordPress sites using the Bonanza – WooCommerce Free Gifts Lite plugin. Unauthorized users with Subscriber-level access can alter opt-in statuses, potentially enabling fraudulent or unintended promotional benefits or skewing marketing analytics. While this does not directly compromise sensitive user data or site availability, it can undermine business processes relying on accurate opt-in information, leading to financial or reputational damage. Attackers could exploit this to gain unfair advantages in promotional campaigns or disrupt customer engagement strategies. The vulnerability requires authenticated access, limiting exploitation to users with existing accounts, but since Subscriber-level access is commonly granted to many users, the risk is non-trivial. Organizations relying on this plugin for e-commerce promotions should consider the integrity risks significant enough to warrant prompt remediation. The lack of known exploits reduces immediate risk, but the vulnerability remains exploitable in environments with untrusted authenticated users or compromised accounts.

To mitigate CVE-2025-6730, organizations should first check for and apply any available patches or updates from the plugin vendor once released. In the absence of a patch, administrators should restrict Subscriber-level user capabilities to trusted individuals only, minimizing the risk of exploitation by untrusted users. Implementing strict user role management and monitoring for unusual opt-in status changes can help detect exploitation attempts. Additionally, consider disabling or replacing the Bonanza – WooCommerce Free Gifts Lite plugin if it is not essential, or temporarily removing it until a fix is available. Employing Web Application Firewalls (WAF) with custom rules to detect and block unauthorized calls to the xlo_optin_call() function may provide interim protection. Regularly auditing user accounts and permissions, especially Subscriber roles, will reduce the attack surface. Finally, educating site administrators about this vulnerability and encouraging vigilance in monitoring plugin behavior is critical.