Description
The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Arbitrary Option Modification
Action: Implement Workaround
AI Analysis

Impact

The vulnerability resides in the Make Email Customizer for WooCommerce plugin through version 1.0.6, where callback functions handling AJAX requests lack checks that confirm the caller is authorized to perform configuration changes. An authenticated user with the Subscriber role can therefore invoke these endpoints and submit arbitrary option names and values, overriding default WordPress settings. This allows the attacker to alter site behavior, potentially modify URLs, feature flags, or logging settings, which could degrade site integrity or expose further attack vectors.

Affected Systems

The affected product is the Make Email Customizer for WooCommerce plugin installed on WordPress sites. Versions through 1.0.6 are vulnerable. Any site that has installed this plugin and grants normal Subscriber roles to users is at risk, even if the attacker does not have administrative privileges.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, with the EPSS score listed as < 1% suggesting a very low probability of exploitation in the wild. The vulnerability is not currently recorded in CISA's KEV catalog. The attack vector requires the attacker to be authenticated; therefore, a legitimate user with Subscriber privileges can send a crafted AJAX request to alter options. Because the plugin permits arbitrary option updates, the attacker could potentially impact configuration settings that influence overall site functionality or security.

Generated by OpenCVE AI on April 28, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the AJAX action so that only administrators can invoke it, either by editing the plugin or using a role‑management tool.
  • Remove or downgrade the Subscriber role's capability to edit options through a capabilities plugin or custom code.
  • Deploy a security plugin that blocks unauthorized AJAX calls or monitors for unauthorized option changes.

Generated by OpenCVE AI on April 28, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.
Title Make Email Customizer for WooCommerce <= 1.0.6 - Subscriber+ Arbitrary Options Update
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:51.448Z

Reserved: 2025-10-02T04:56:22.528Z

Link: CVE-2025-11237

cve-icon Vulnrichment

Updated: 2025-11-12T21:25:11.159Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T06:15:34.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses

No weakness.