CVE-2025-54697: 
WordPress vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2025-54697) was discovered in the Kadence WooCommerce Email Designer WordPress plugin, affecting versions up to 1.5.16. The vulnerability was reported by Denver Jackson on July 11, 2025, and publicly disclosed on August 14, 2025. This security issue is classified as an Incorrect Privilege Assignment vulnerability that could allow privilege escalation in the plugin developed by Liquid Web / StellarWP (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the following vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-266 (Incorrect Privilege Assignment) and requires Shop manager privileges to exploit. The vulnerability affects the plugin's privilege management system (Patchstack, NVD).

The vulnerability could allow malicious actors to escalate their low-privileged account to one with higher privileges. If successfully exploited, attackers could potentially gain full control of the website if high privileges are obtained (Patchstack).

The vulnerability has been fixed in version 1.5.17 of the Kadence WooCommerce Email Designer plugin. Users are strongly advised to update to version 1.5.17 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).