High severity8.8NVD Advisory· Published May 7, 2025· Updated Apr 15, 2026
CVE-2025-3852
CVE-2025-3852
Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0//core/external/eo-framework/modules/wpeo-model/class/user.class.phpnvd
- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0//modules/api/action/class-api-action.phpnvd
- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0/core/external/eo-framework/modules/wpeo-model/class/rest.class.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/96b8186c-dfe9-4137-b28d-cc09a25aa9acnvd
News mentions
0No linked articles in our index yet.