Impact
Unauthenticated attackers can leverage a flaw in the Registration Form for WooCommerce plugin (versions up to 1.0.9) to create or modify user accounts with elevated privileges, enabling them to perform administrative actions without authorization. This flaw allows the attacker to bypass normal role restrictions and gain control over the site’s content and settings, potentially compromising data confidentiality, integrity, and availability.
Affected Systems
WordPress sites that use the ThemeGrill Registration Form for WooCommerce plugin, version 1.0.9 or earlier. All installations running these versions are vulnerable. The plugin should be upgraded to version 1.1.0 or later to eliminate the issue.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is not available, but the lack of authentication requirement suggests a high likelihood of exploitation if attackers know the site uses the affected plugin. The vulnerability is not currently present in CISA’s KEV catalog, yet its potential for wide impact warrants urgent attention. The attacker can exploit the publicly accessible registration form to gain elevated privileges without any prior access, making the attack vector straightforward for automated or manual exploitation.
OpenCVE Enrichment