CVE-2025-30772: 
WordPress vulnerability analysis and mitigation

The CVE-2025-30772 is a Missing Authorization vulnerability discovered in WPClever WPC Smart Upsell Funnel for WooCommerce plugin that allows Privilege Escalation. This vulnerability affects versions through 3.0.4 of the WPC Smart Upsell Funnel for WooCommerce plugin. The vulnerability was disclosed on March 27, 2025 (NVD, Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 8.8 (HIGH). The attack vector is characterized as Network-based (AV:N) with Low attack complexity (AC:L), requiring Low privileges (PR:L) and No user interaction (UI:N). The scope is Unchanged (S:U) with High impact on Confidentiality (C:H), Integrity (I:H), and Availability (A:H) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform privilege escalation. If successfully exploited, attackers could gain unauthorized access to update arbitrary options on the WordPress site, potentially leading to full administrative control of the vulnerable website (Patchstack).

The vulnerability has been fixed in version 3.0.5 of the WPC Smart Upsell Funnel for WooCommerce plugin. Users are strongly advised to update to this version or later immediately. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until users can update to the fixed version (Patchstack).