CVE-2025-2266: 
WordPress vulnerability analysis and mitigation

The Checkout Mestres do WP for WooCommerce plugin for WordPress (versions 8.6.5 to 8.7.5) contains a critical vulnerability that allows unauthorized modification of data leading to privilege escalation. The vulnerability stems from a missing capability check in the cwmpUpdateOptions() function, which enables unauthenticated attackers to update arbitrary options on WordPress sites. This vulnerability was discovered and disclosed on March 29, 2025, and has been assigned CVE-2025-2266 (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The security flaw is categorized as CWE-862 (Missing Authorization). The vulnerability exists in the cwmpUpdateOptions() function where a missing capability check allows unauthorized access to update WordPress site options (Wordfence).

The vulnerability allows attackers to update arbitrary options on the WordPress site, including the ability to modify the default role for new user registrations to administrator and enable user registration. This can be exploited to gain administrative access to vulnerable sites, effectively compromising the entire WordPress installation (NVD).

The plugin has been temporarily closed as of March 27, 2025, pending a full security review. Site administrators using affected versions (8.6.5 to 8.7.5) should immediately disable the plugin until a patched version is available (WordPress Plugin).