WordPress Plugin Vulnerabilities

Wholesale Suite < 2.2.5 - Authenticated (Shop Manager+) Privilege Escalation

Description

The Wholesale Suite – B2B, Dynamic Pricing & Wholesale Prices for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.4.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to gain administrative-level access.

Affects Plugins

Plugin icon
woocommerce-wholesale-prices
Fixed in 2.2.5

References

CVE
CVE-2025-49924
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/38a1fb65-b0f6-4d3a-9b07-c40f80de4685

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Phat RiO - BlueRock
Verified
No
WPVDB ID
6317476d-a0f9-443b-a8b2-3d037e3f7237

Timeline

Publicly Published
2025-07-23 (about 10 months ago)
Added
2025-12-11 (about 5 months ago)
Last Updated
2025-12-11 (about 5 months ago)

Other

Published
Title
Published
2025-03-18
Title
Service Finder Bookings < 5.1 - Unauthenticated Privilege Escalation via Account Takeover
Published
2025-08-29
Title
PostX < 4.1.36 - Authenticated (Editor+) Privilege Escalation
Published
2025-03-31
Title
SMS Alert Order Notifications < 3.8.0 - Unauthenticated Account Takeover/Privilege Escalation
Published
2024-11-22
Title
WPGYM < 67.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2019-08-07
Title
Login Or Logout Menu Item < 1.2.0 - Unauthenticated Options Change