CVE-2025-11237

Vulnerability

Overview The Make Email Customizer for WooCommerce plugin for WordPress, versions 1.0.6 and earlier, contains a missing authorization and option validation flaw in its AJAX actions. This vulnerability allows any authenticated user, including those with minimal privileges as low as Subscriber, to update arbitrary WordPress options [1]. The root cause is the lack of proper capability checks and input validation on the AJAX handlers, which are intended for administrative functions but are exposed to lower-privileged users.

Exploitation

Conditions An attacker needs only a valid WordPress account with Subscriber-level access or higher. No additional authentication or network position is required beyond being authenticated to the site is sufficient. The attacker can craft a malicious AJAX request targeting the plugin's endpoints, bypassing the intended access controls to modify any WordPress option in the database [1].

Impact

Successful exploitation enables an attacker to change critical WordPress settings, such as the site URL, admin email, or user roles, potentially leading to full site compromise. For example, an attacker could set the default user role to Administrator or redirect new registrations or alter the site's home URL to a malicious domain. This vulnerability is rated Medium severity (CVSS 5.3) due to the low privileges required and the high potential impact on site integrity and confidentiality [1].

Mitigation

Status As of the latest advisory, no fix is available for this vulnerability [1]. The plugin is closed-source and no longer maintained, so users are advised to remove or replace the plugin with an alternative solution. There is no known workaround that does not involve code changes. The vulnerability was publicly disclosed on October 21, 2025, and has been added to the WPScan vulnerability database [1].