CVE-2025-2266

Published Mar 29, 2025

Last updated 11 days ago

CVSS critical 9.8
WordPress
WooCommerce

Overview

Description
The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Source
security@wordfence.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-862

Social media

Hype score
Not currently trending

  1. CVE-2025-2266 — WordPress Plugin Exploit [1] https://t.co/00u8zChXD3 Hunting @fofabot body="checkout-mestres-wp" [+] Step 2: User 'adminx' registered successfully. [!] Set password manually from admin panel or reset link. https://t.co/tIhKnH1Jmb

    @akaclandestine

    30 Mar 2025

    2585 Impressions

    11 Retweets

    43 Likes

    28 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-2266 — #WordPress Plugin Exploit CVSS:9.8 (#Critical) PoC: https://t.co/4G3zNt51sw #Trump #كل_عام_وانتم_بخير #Hacking #hackaccount

    @Nxploited

    29 Mar 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-2266: CRITICAL] WordPress plugin Checkout Mestres do WP for WooCommerce versions 8.6.5 to 8.7.5 contain a critical vulnerability allowing unauthenticated attackers to escalate privileges by altering user...#cybersecurity,#vulnerability https://t.co/kYqqhHTZcT https://t.

    @CveFindCom

    29 Mar 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. �� CVE-2025-2266 - WordPress - HIGH 🚨 🗓️ Date published 2025-03-29 07:15:18 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/ci9wdcdLOj

    @vulns_space

    29 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.CVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.CVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.CVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.CVE-2025-8085

References

Sources include official advisories and independent security research.