CVE-2025-3063: 
WordPress vulnerability analysis and mitigation

The Shopper Approved Reviews plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-3063) discovered in versions 2.0 to 2.1. The vulnerability stems from a missing capability check in the ajaxcallbackupdatesaoption() function, which allows authenticated attackers with Subscriber-level access or higher to modify arbitrary WordPress site options (NVD).

The vulnerability exists due to improper authorization controls in the ajaxcallbackupdatesaoption() function. The function fails to properly validate user capabilities before allowing modifications to WordPress site options. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows attackers to update arbitrary WordPress site options, including the ability to modify the default registration role to administrator and enable user registration. This effectively enables attackers to create administrator accounts on vulnerable sites, leading to complete site compromise (NVD).

Site administrators should immediately update the Shopper Approved Reviews plugin to version 2.2 or later, which includes a security fix for this vulnerability. The update implements proper capability checks to prevent unauthorized users from modifying site options (NVD).