CVE-2025-3906: 
WordPress vulnerability analysis and mitigation

The Integração entre Eduzz e Woocommerce plugin for WordPress contains a missing capability check vulnerability (CVE-2025-3906) in versions up to and including 1.7.5. The vulnerability was discovered and disclosed on April 26, 2025. The plugin lacks proper authorization controls in the 'wep_opcoes' function, affecting WordPress installations using this integration plugin (NVD, Wiz).

The vulnerability stems from a missing capability check in the 'wep_opcoes' function, which allows authenticated users with Subscriber-level access or higher to modify the default registration role settings. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access to modify the default registration role within the plugin's registration flow to Administrator. This enables any user to create an Administrator account, effectively compromising the entire WordPress installation (NVD, Wiz).

Website administrators should immediately update the Integração entre Eduzz e Woocommerce plugin to a version newer than 1.7.5 once a patch becomes available. In the meantime, it is recommended to restrict access to the plugin's settings page to trusted administrators only or consider temporarily disabling the plugin if it's not critical to operations (Wiz).