Home

Description

The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.

PUBLISHED Reserved 2025-10-02 | Published 2025-11-11 | Updated 2025-11-12 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status
affected

Any version
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/88b46752-051b-4468-9e2b-cc81a9ce1075/ exploit vdb-entry technical-description

cve.org (CVE-2025-11237)

nvd.nist.gov (CVE-2025-11237)

Download JSON