CVE-2025-60222

HIGH
2025-10-22 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
HIGH 8.8

Tags

WordPress PHP Privilege Escalation

Description

Incorrect Privilege Assignment vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Privilege Escalation.This issue affects SUMO Memberships for WooCommerce: from n/a through <= 7.8.0.

Analysis

Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.

Technical Context

This vulnerability affects the SUMO Memberships for WooCommerce plugin, a membership management system for WordPress e-commerce sites. CWE-266 (Incorrect Privilege Assignment) indicates the plugin fails to properly validate or enforce user role boundaries when performing privileged operations. In WordPress plugins, this typically occurs when sensitive administrative functions lack proper capability checks (e.g., missing current_user_can() guards) or when role verification logic contains flaws allowing lower-privileged users (Subscriber, Customer, Contributor) to invoke functions intended only for Administrators or Shop Managers. The WooCommerce integration context suggests membership role manipulation or payment-gated content access controls may be bypassable. All versions through 7.8.0 contain the flawed privilege assignment logic.

Affected Products

FantasticPlugins SUMO Memberships for WooCommerce plugin for WordPress is affected in all versions from initial release through version 7.8.0 inclusive. This impacts WordPress sites running WooCommerce with the SUMO Memberships plugin installed for subscription and membership management. The vendor advisory and technical details are available through Patchstack's vulnerability database at the referenced URL, which indicates version 7.6.0 was specifically analyzed though the advisory confirms the flaw persists through 7.8.0.

Remediation

Upgrade the SUMO Memberships for WooCommerce plugin to version 7.8.1 or later if available, as the vulnerability affects all versions through 7.8.0. Site administrators should immediately audit existing user accounts for unauthorized privilege escalations by reviewing WordPress user roles in wp-admin Users section and checking WooCommerce customer roles for anomalies. Review site activity logs for suspicious administrative actions performed by non-admin accounts. Until patching is complete, consider temporarily restricting new user registrations or implementing additional authentication layers for customer accounts. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sumomemberships/ for vendor-specific remediation guidance and detailed technical analysis. If patch version is not yet released, monitor FantasticPlugins official channels and WordPress plugin repository for security updates.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-60222 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy