Description
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allows unauthenticated actors to approve user registrations without admin consent
Action: Apply Patch
AI Analysis

Impact

The flaw is a missing or incorrect nonce check in the plugin’s user approval function, which lets an attacker send a forged request to approve any registration. Since the action occurs when an administrator is prompted to click a link or take an action, the vulnerability can bypass the mandatory approval step and create user accounts that bypass the intended approval workflow.

Affected Systems

All WordPress sites using Woffice Core up to and including version 5.4.21 are affected. The issue is specific to the WofficeIO Woffice Core plugin.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog and requires social engineering to exploit, as the attacker must convince an administrator to trigger the forged request. If exploited, the attacker could gain unauthorized account creation privileges, potentially leading to further attacks if those accounts are used as footholds.

Generated by OpenCVE AI on April 28, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Woffice Core to version 5.4.22 or later, which removes the CSRF weakness.
  • If an immediate update is not possible, disable the registration approval workflow or remove the 'approve user' capability from administrators to block the compromised action.
  • Apply a temporary manual patch by adding a nonce verification check to the 'woffice_handle_user_approval_actions' function until the official fix is applied.
  • Educate site administrators to verify the legitimacy of any links or requests before clicking them.

Generated by OpenCVE AI on April 28, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9683 The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 08 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Xtendify
Xtendify woffice
CPEs cpe:2.3:a:xtendify:woffice:*:*:*:*:*:wordpress:*:*
Vendors & Products Xtendify
Xtendify woffice

Mon, 09 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Wofficeio Woffice Core
Wordpress Wordpress
Xtendify Woffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:10.874Z

Reserved: 2025-03-25T17:47:42.219Z

Link: CVE-2025-2797

cve-icon Vulnrichment

Updated: 2025-04-04T13:20:05.108Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-04T07:15:42.380

Modified: 2025-08-08T20:06:18.657

Link: CVE-2025-2797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses