CVE-2025-3852: WPshop 2 Privilege Escalation Vulnerability

CVE-2025-3852 Overview

CVE-2025-3852 is a privilege escalation vulnerability in the WPshop 2 – E-Commerce plugin for WordPress, affecting versions 2.0.0 through 2.6.0. The flaw resides in the plugin's update() function, which fails to validate a user's identity before modifying account details such as email address and password. Authenticated attackers with subscriber-level access or higher can change passwords on arbitrary accounts, including administrator accounts. Successful exploitation results in full account takeover and complete compromise of the affected WordPress site. The weakness is classified under [CWE-269: Improper Privilege Management].

Critical Impact

A subscriber-level account can be used to reset any administrator's password, leading to full site takeover, content manipulation, and potential pivoting to server-side compromise.

Affected Products

• WPshop 2 – E-Commerce plugin for WordPress, version 2.0.0
• WPshop 2 – E-Commerce plugin for WordPress, versions 2.0.1 through 2.5.x
• WPshop 2 – E-Commerce plugin for WordPress, version 2.6.0

Discovery Timeline

• 2025-05-07 - CVE-2025-3852 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-3852

Vulnerability Analysis

The WPshop 2 plugin exposes an API endpoint that proxies user-update operations through the plugin's REST and model classes. The update() method in the plugin's user model accepts arbitrary user fields, including user_email and user_pass, from a request payload. The handler does not verify that the requesting user is the same as the user being updated, and it does not enforce a capability check restricting the operation to administrators. Any authenticated user can supply a target user ID along with new credentials. The plugin then writes those credentials to the database on behalf of the targeted account. Because WordPress administrators are addressable by numeric ID, an attacker can iterate over low IDs to locate privileged accounts.

Root Cause

The root cause is missing authorization in the user update flow. The code path in user.class.php, called via class-api-action.php and rest.class.php, lacks a current_user_can() check or ownership comparison between the requesting user and the user record being modified. Identity validation that should gate password and email mutations is absent.

Attack Vector

Exploitation requires only a subscriber-level account, which many WordPress sites allow self-registration for. The attacker sends an authenticated request to the plugin's user update endpoint with a payload containing the victim's user ID and the attacker-chosen user_pass value. The plugin writes the new password hash, allowing the attacker to log in as the targeted administrator. No user interaction from the victim is required.

Detailed source references are available in the WordPress Plugin Code Reference, the WordPress API Action Code, and the WordPress REST Class Code.

Detection Methods for CVE-2025-3852

Indicators of Compromise

• Unexpected password or email changes on administrator accounts recorded in the WordPress wp_users table or audit logs.
• HTTP requests to the WPshop API action endpoint containing a user_pass or user_email parameter targeting a user ID other than the requester's.
• New administrator logins from IP addresses that previously authenticated as subscribers.
• Subscriber-level accounts performing repeated requests to the plugin's REST routes within a short time window.

Detection Strategies

• Enable WordPress activity logging to capture user profile updates and correlate the acting user ID against the modified user ID.
• Inspect web server access logs for POST requests to WPshop API endpoints originating from low-privilege session cookies.
• Alert when password hashes in wp_users change without a corresponding password reset email or admin-initiated action.

Monitoring Recommendations

• Monitor for privilege role transitions, especially subscriber-to-administrator escalations within the same session.
• Track failed-then-successful admin logins that immediately follow API calls to plugin endpoints.
• Forward WordPress and web server logs to a centralized analytics platform for cross-source correlation.

How to Mitigate CVE-2025-3852

Immediate Actions Required

• Update the WPshop 2 – E-Commerce plugin to a version newer than 2.6.0 once a patched release is available from the vendor.
• Disable or deactivate the WPshop plugin until a fix can be applied if the site cannot be patched immediately.
• Disable open user registration on the WordPress site to reduce the pool of attackers that can reach the vulnerable endpoint.
• Force a password reset for all administrator and editor accounts and review user roles for unauthorized additions.

Patch Information

At the time of publication, no fixed version beyond 2.6.0 is referenced in the available advisory data. Refer to the Wordfence Vulnerability Intelligence entry for the latest patch status from the plugin maintainer.

Workarounds

• Restrict access to the plugin's REST API endpoints using a web application firewall rule that blocks update requests from non-administrator sessions.
• Set users_can_register to false in WordPress general settings to prevent attackers from creating subscriber accounts.
• Apply two-factor authentication on all administrator accounts so a stolen password alone does not yield session access.

# Configuration example: disable open registration via WP-CLI
wp option update users_can_register 0
wp option update default_role subscriber

# Deactivate the vulnerable plugin until patched
wp plugin deactivate wpshop