CVE-2025-4335 in Woocommerce Multiple Addresses Plugin
Summary
by MITRE • 05/07/2025
The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2025
The vulnerability identified in CVE-2025-4335 affects the WooCommerce Multiple Addresses plugin for WordPress, specifically targeting versions up to and including 1.0.7.1. This privilege escalation vulnerability stems from inadequate validation and sanitization of user meta data modifications within the plugin's functionality. The issue manifests through the save_multiple_shipping_addresses() function which fails to properly restrict user meta updates, creating a pathway for authenticated attackers to manipulate their access levels. The vulnerability is particularly concerning because it requires only subscriber-level access or higher to exploit, meaning that any user with basic account privileges can potentially elevate their permissions to administrator level. This represents a critical security flaw that undermines the fundamental access control mechanisms of WordPress sites utilizing this plugin.
The technical flaw resides in the insufficient input validation and access control measures implemented within the plugin's address management system. When users attempt to save multiple shipping addresses through the save_multiple_shipping_addresses() function, the plugin does not adequately verify whether the requesting user has proper authorization to modify sensitive user meta fields. This lack of proper access controls allows attackers to inject malicious data into user meta parameters that control administrative privileges. The vulnerability is classified as a privilege escalation issue under CWE-269, which specifically addresses "Improper Privilege Management" and falls under the broader category of insufficient access control mechanisms. The flaw enables attackers to manipulate user roles and capabilities through the plugin's address saving functionality, effectively bypassing standard WordPress permission systems.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally compromises the security posture of WordPress installations using the affected plugin. An attacker with subscriber-level access can exploit this vulnerability to gain administrator privileges, potentially leading to complete system compromise. This includes the ability to modify or delete content, install malicious plugins, access sensitive user data, and modify site configurations. The vulnerability affects all WordPress sites running the affected WooCommerce Multiple Addresses plugin version, making it a widespread concern for online businesses relying on WordPress for their e-commerce operations. The impact is particularly severe because the vulnerability can be exploited by relatively low-privilege users, making it difficult to detect and prevent through standard security monitoring practices.
Mitigation strategies for CVE-2025-4335 should prioritize immediate plugin updates to versions that address the privilege escalation vulnerability, as recommended by the plugin developers and WordPress security teams. Organizations should implement comprehensive access control measures including role-based access controls, regular security audits, and monitoring for unauthorized privilege changes. The principle of least privilege should be enforced by ensuring that users have only the minimum permissions necessary for their roles, and that all user meta updates are properly validated and sanitized. Security professionals should also consider implementing network-based monitoring solutions to detect suspicious user meta modifications and privilege escalation attempts. Additionally, maintaining up-to-date security patches for WordPress core, themes, and plugins remains critical, as this vulnerability demonstrates the importance of proper input validation and access control implementation in third-party WordPress extensions. The ATT&CK framework categorizes this type of vulnerability under privilege escalation techniques, specifically targeting the use of application vulnerabilities to gain higher system access levels.