Description
Missing Authorization vulnerability in WPClever WPC Smart Upsell Funnel for WooCommerce wpc-smart-upsell-funnel allows Privilege Escalation.This issue affects WPC Smart Upsell Funnel for WooCommerce: from n/a through <= 3.0.4.
Published: 2025-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a missing authorization check that allows an attacker to arbitrarily update plugin options, effectively giving them elevated privileges within WordPress. This change can grant the attacker additional access or modify the store’s behavior.

Affected Systems

WordPress users running the WPC Smart Upsell Funnel for WooCommerce plugin version 3.0.4 or earlier are vulnerable. The issue was discovered in the WPClever implementation of this plugin and affects all installations using any of the affected releases.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability poses high risk, though the EPSS score of less than 1% indicates low probability of current exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no large-scale exploitation has been documented. Attack vectors are inferred to be through the WordPress admin interface, as the lack of authorization allows unauthorized users to modify plugin options.

Generated by OpenCVE AI on May 1, 2026 at 04:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPC Smart Upsell Funnel for WooCommerce to version 3.0.5 or later
  • Restrict access to the plugin’s settings page to administrators only, removing lower‑privilege roles
  • Monitor the wp_options table and plugin logs for unexpected changes and audit user activity

Generated by OpenCVE AI on May 1, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8401 Missing Authorization vulnerability in WPClever WPC Smart Upsell Funnel for WooCommerce allows Privilege Escalation. This issue affects WPC Smart Upsell Funnel for WooCommerce: from n/a through 3.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPClever WPC Smart Upsell Funnel for WooCommerce allows Privilege Escalation. This issue affects WPC Smart Upsell Funnel for WooCommerce: from n/a through 3.0.4. Missing Authorization vulnerability in WPClever WPC Smart Upsell Funnel for WooCommerce wpc-smart-upsell-funnel allows Privilege Escalation.This issue affects WPC Smart Upsell Funnel for WooCommerce: from n/a through <= 3.0.4.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPClever WPC Smart Upsell Funnel for WooCommerce allows Privilege Escalation. This issue affects WPC Smart Upsell Funnel for WooCommerce: from n/a through 3.0.4.
Title WordPress WPC Smart Upsell Funnel for WooCommerce plugin <= 3.0.4 - Arbitrary Option Update to Privilege Escalation vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:56.856Z

Reserved: 2025-03-26T09:19:49.549Z

Link: CVE-2025-30772

cve-icon Vulnrichment

Updated: 2025-03-27T13:59:08.350Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:38.397

Modified: 2026-04-23T15:27:02.413

Link: CVE-2025-30772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:15:08Z

Weaknesses