CVE-2025-2798

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Apr 4, 2025

Updated: Apr 7, 2025

CWE ID 269

Summary

CVE-2025-2798: The Woffice CRM theme for WordPress contains an Authentication Bypass vulnerability. This issue arises from a misconfiguration of excluded roles during registration, allowing unauthenticated attackers to register with an Administrator role. This vulnerability is significant because an attacker can exploit it to gain administrative access if a custom login form is in use. Furthermore, it can be exploited in conjunction with CVE-2025-2797 to bypass the user approval process, enabling attackers to create an administrator account without the need for approval from existing administrators.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/4pajQi
https://www.cve.org/CVERecord?id=CVE-2025-2798
https://nvd.nist.gov/vuln/detail/CVE-2025-2798

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners

CVE-2025-2798

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations