WordPress Plugin Vulnerabilities

Make Email Customizer for WooCommerce <= 1.0.6 - Subscriber+ Arbitrary Options Update

Description

The plugin lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.

Proof of Concept

Affects Plugins

Plugin icon
make-email-customizer-for-woocommerce
No known fix

References

CVE
CVE-2025-11237

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Verified
Yes
WPVDB ID
88b46752-051b-4468-9e2b-cc81a9ce1075

Timeline

Publicly Published
2025-10-21 (about 2 months ago)
Added
2025-10-21 (about 2 months ago)
Last Updated
2025-10-21 (about 2 months ago)

Other

Published
Title
Published
2025-01-17
Title
Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme < 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Option Update
Published
2024-03-29
Title
Shortcodes and extra features for Phlox theme < 2.15.8 - Subscriber+ Template Import
Published
2025-12-15
Title
User Extra Fields < 16.9 - Missing Authorization
Published
2025-04-01
Title
WordPress Adverts Plugin <= 1.4 - Missing Authorization
Published
2024-12-06
Title
If Menu < 0.19.2 - Missing Authorization to License Key Update