CVE-2025-3848

The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:themesgrove:wp_smartpay:*:*:*:*:*:wordpress:*:*

History

16 Jul 2025, 15:45

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 04:15

Updated : 2025-07-16 15:45

NVD link : CVE-2025-3848

Mitre link : CVE-2025-3848

CVE.ORG link : CVE-2025-3848

JSON object : View

Products Affected

themesgrove

wp_smartpay

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-3848", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-07-02T04:15:52.193", "references": [{"url": "https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account."}, {"lang": "es", "value": "El complemento Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay de WordPress es vulnerable a la escalada de privilegios mediante el robo de cuenta en las versiones 1.1.0 a 2.7.13. Esto se debe a que el complemento no valida correctamente la identidad del usuario antes de actualizar su correo electr\u00f3nico mediante la funci\u00f3n update(). Esto permite a atacantes autenticados, con acceso de suscriptor o superior, cambiar las direcciones de correo electr\u00f3nico de cualquier usuario, incluyendo administradores, y aprovechar esta situaci\u00f3n para restablecer la contrase\u00f1a del usuario y acceder a su cuenta."}], "lastModified": "2025-07-16T15:45:37.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:themesgrove:wp_smartpay:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "300643C9-00C3-47A7-BF96-C46309CA8E57", "versionEndIncluding": "2.7.13", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}