cleantalk
Vulnerabilities and Security Researches

Checkout Mestres WP, CVE-2025-2266

CVE, Research URL

CVE-2025-2266

Home page URL

Security reports for Checkout Mestres WP

Application

Checkout Mestres WP

Published on
Mar 29, 2025
Research Description
The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions
Min 8.6.5, max 8.7.5.
Status
vulnerable
Previous vulnerability researches
Checkout Mestres WP (CVE-2025-2266) , Apr 02, 2025
Checkout Mestres WP (CVE-2024-44030) , Sep 28, 2024
Checkout Mestres WP (CVE-2023-51472) , Jun 06, 2024
Checkout Mestres WP (CVE-2023-51471) , Jun 06, 2024
Checkout Mestres WP (CVE-2023-51469) , Jun 06, 2024
New vulnerability
WordPress Job Board and Recruitment Plugin – JobWP (CVE-2025-2010) , Apr 20, 2025
WP Logger (CVE-2025-39456) , Apr 20, 2025
visualslider Sldier (CVE-2025-23448) , Apr 20, 2025
RSS Manager (CVE-2025-39418) , Apr 20, 2025
Contact Form vCard Generator (CVE-2025-39521) , Apr 20, 2025