Description
Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Privilege Escalation.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Published: 2025-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light contains an incorrect privilege assignment flaw that can allow attackers to acquire higher rights than intended. The weakness aligns with CWE‑266 and can potentially enable an attacker to create or modify content with elevated privileges, leading to site compromise or unauthorized changes.

Affected Systems

The vulnerability affects all releases of the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin up to and including version 2.4.37. Users running any of these versions within a WordPress installation are at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is not explicitly described in the CVE data; it is inferred that exploitation would likely require a user with some level of site access to manipulate the plugin’s input handling, but the exact conditions are not specified.

Generated by OpenCVE AI on April 30, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Spreadsheet Price Changer plugin to the latest released version that includes the privilege assignment fix, if one is available.
  • Disable or uninstall the plugin until a patched version is released.
  • Audit and adjust WordPress user roles to minimize elevated privileges, especially for users who have access to the plugin’s interface.

Generated by OpenCVE AI on April 30, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17529 Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Privilege Escalation. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Privilege Escalation. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37. Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Privilege Escalation.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Privilege Escalation Vulnerability WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Privilege Escalation Vulnerability
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00059}

 epss

{'score': 0.00021}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00059}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Privilege Escalation. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Privilege Escalation Vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.203Z

Reserved: 2025-05-15T18:01:28.792Z

Link: CVE-2025-48129

cve-icon Vulnrichment

Updated: 2025-06-10T13:42:14.487Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:43.133

Modified: 2026-04-23T15:30:50.937

Link: CVE-2025-48129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses