Unrated severityNVD Advisory· Published Apr 4, 2025· Updated Apr 8, 2026
Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval
CVE-2025-2797
Description
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<=5.4.21+ 1 more
- (no CPE)range: <=5.4.21
- (no CPE)range: 0
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.