CVE-2025-49924 - Vulnerability Details

- WordPress Wholesale Suite plugin <= 2.2.4.2 - Privilege Escalation vulnerability

Description

Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.

Published: 2025-10-22

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Wholesale Suite plugin for WooCommerce contains an incorrect privilege assignment flaw that permits users with limited access to elevate their privileges. This deficiency allows an attacker who has a non‑privileged account to gain higher, potentially administrative rights, compromising the integrity and confidentiality of the hosted website. The weakness is categorized as CWE‑266, insecure authorization.

Affected Systems

Any installation of Wholesale Suite version 2.2.4.2 or earlier, including releases without a specified version number, is affected. The plugin is used in WordPress sites that integrate WooCommerce wholesale pricing functionality.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with non‑privileged access who exploits the flawed privilege assignment logic to obtain administrative capabilities. The description does not provide explicit prerequisites, but it is inferred that the attacker must log in to the site first. Once escalated, the attacker could modify wholesale pricing, access sensitive order data, or alter site configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Josh Kohlbach

Wholesale Suite

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.2.4.2

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Wholesale Suite to a version greater than 2.2.4.2.
Configure WordPress role permissions to restrict access to wholesale pricing functions, ensuring that only necessary users retain any privileges.
Review WooCommerce user capabilities to minimize the potential impact of privilege escalation before the patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability?_s_id=cve

Thu, 13 Nov 2025 11:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability

Thu, 13 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
References		https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability?_s_id=cve

Thu, 23 Oct 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Thu, 23 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 23 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.
Title		WordPress Wholesale Suite plugin <= 2.2.4.2 - Privilege Escalation vulnerability
Weaknesses		CWE-266
References		https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-4-2-privilege-escalation-vulnerability

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-10-22T14:32:13.804Z

Updated: 2026-04-28T16:13:08.005Z

Reserved: 2025-06-11T16:07:08.210Z

Link: CVE-2025-49924

Vulnrichment

Updated: 2025-10-23T15:30:07.022Z

NVD

Status : Deferred

Published: 2025-10-22T15:15:38.327

Modified: 2026-04-27T20:16:17.770

Link: CVE-2025-49924

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses

CWE-266

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object