The Simple Registration for WooCommerce plugin contains a missing nonce check on the role‑request approval page, allowing an unauthenticated attacker to submit a forged request that grants administrative privileges to a pending user. This flaw directly equates to a privilege escalation vulnerability, categorized as CWE‑352. The attacker can exploit the issue by luring an administrator into visiting a crafted URL or link, which the admin’s browser would automatically include the necessary cookies, thereby approving the role request and elevating the user’s access level.

All deployments of the Astoundify Simple Registration for WooCommerce plugin, versions 1.5.8 and earlier, are impacted. No version information indicating a fixed release was provided in the current CVE data, so the advisory should assume any installation at or below 1.5.8 is vulnerable until the plugin is updated.

With a CVSS score of 8.8 the flaw is considered high severity, yet the EPSS score of less than 1% suggests that, as of the last assessment, actual exploitation is unlikely. The vulnerability is not listed in CISA’s KEV catalog. Attack prerequisites include an unauthenticated attacker who can persuade or force an administrator to open a crafted page; no network‑level or privileged access is required beyond this social engineering step. The risk to confidentiality and integrity is significant, as compromised accounts could modify site content, posts, or administrative settings.