CVE-2025-52836

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

Privilege Escalation

Description

Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP profitori allows Privilege Escalation.This issue affects The E-Commerce ERP: from n/a through <= 2.1.1.3.

Analysis

Privilege escalation in Unity Business Technology's E-Commerce ERP plugin (profitori) through version 2.1.1.3 allows attackers to gain elevated permissions due to incorrect privilege assignment. The vulnerability affects the WordPress plugin with EPSS exploitation probability at 0.09%, indicating low real-world exploitation likelihood despite the privilege escalation impact. No public exploit code or active exploitation (KEV status) has been confirmed.

Technical Context

The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a fundamental access control weakness where the application fails to properly validate or enforce privilege boundaries. In the context of the E-Commerce ERP WordPress plugin, this likely manifests as improper capability checks or role-based access control (RBAC) implementation, enabling lower-privileged users or unauthenticated actors to perform administrative functions. The profitori plugin operates within WordPress's permission model, where incorrect use of current_user_can() checks or failure to properly sanitize user roles creates the exploitation vector.

Affected Products

The E-Commerce ERP (profitori) plugin for WordPress, maintained by Unity Business Technology Pty Ltd, is affected in all versions from the initial release through version 2.1.1.3. The vulnerability is identified in the WordPress plugin repository listing at patchstack.com for the profitori plugin. No CPE string is available from provided data.

Remediation

Update the profitori plugin to a version newer than 2.1.1.3. As of the analysis date, users should check the WordPress plugin repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/profitori/vulnerability/wordpress-the-e-commerce-erp-2-1-1-3-privilege-escalation-vulnerability for the patched release version. Until patching is possible, restrict plugin access to trusted administrators only and consider temporarily disabling the plugin if the privilege escalation impact is unacceptable for your environment.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-52836 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy