CVE-2025-11237: 
WordPress vulnerability analysis and mitigation

The Make Email Customizer for WooCommerce WordPress plugin through version 1.0.6 contains a security vulnerability identified as CVE-2025-11237. The vulnerability was discovered and disclosed on October 21, 2025, affecting the plugin's AJAX actions functionality. The issue stems from improper authorization checks and option validation, which impacts WordPress installations using the affected plugin versions (WPScan).

The vulnerability is characterized by insufficient authorization controls in the plugin's AJAX actions, which allows any authenticated user with privileges as low as Subscriber to update arbitrary WordPress options. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 5.3 (MEDIUM) according to CISA-ADP's evaluation (NVD).

The vulnerability allows authenticated users with minimal privileges (Subscriber level) to modify WordPress system settings. This includes the ability to enable public registration and modify default user roles, potentially leading to privilege escalation by allowing attackers to create administrator accounts (WPScan).

No official fix has been released for this vulnerability as of the disclosure date. Website administrators using the Make Email Customizer for WooCommerce plugin should consider disabling the plugin until a security update is available (WPScan).