High severity8.8NVD Advisory· Published May 7, 2025· Updated Apr 15, 2026
CVE-2025-3852
CVE-2025-3852
Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=2.0.0,<=2.6.0+ 1 more
- (no CPE)range: >=2.0.0,<=2.6.0
- (no CPE)range: >=2.0.0, <=2.6.0
Package: https://wordpress.org/plugins/wpshop
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0//core/external/eo-framework/modules/wpeo-model/class/user.class.phpnvd
- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0//modules/api/action/class-api-action.phpnvd
- plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0/core/external/eo-framework/modules/wpeo-model/class/rest.class.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/96b8186c-dfe9-4137-b28d-cc09a25aa9acnvd
News mentions
0No linked articles in our index yet.