{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3848", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-21T13:47:42.362Z", "datePublished": "2025-07-02T03:47:25.725Z", "dateUpdated": "2025-07-02T13:14:54.022Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-02T03:47:25.725Z"}, "affected": [{"vendor": "themesgrove", "product": "Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay", "versions": [{"version": "1.1.0", "status": "affected", "lessThanOrEqual": "2.7.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account."}], "title": "Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-07-01T14:34:41.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:00:17.446519Z", "id": "CVE-2025-3848", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:14:54.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T13:00:17.446519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:05:19.368Z"}}], "cna": {"title": "Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "themesgrove", "product": "Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay", "versions": [{"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "2.7.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-01T14:34:41.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51"}], "descriptions": [{"lang": "en", "value": "The Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-02T03:47:25.725Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3848", "state": "PUBLISHED", "dateUpdated": "2025-07-02T13:14:54.022Z", "dateReserved": "2025-04-21T13:47:42.362Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T03:47:25.725Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account."}, {"lang": "es", "value": "El complemento Download Manager and Payment Form WordPress Plugin \u2013 WP SmartPay de WordPress es vulnerable a la escalada de privilegios mediante el robo de cuenta en las versiones 1.1.0 a 2.7.13. Esto se debe a que el complemento no valida correctamente la identidad del usuario antes de actualizar su correo electr\u00f3nico mediante la funci\u00f3n update(). Esto permite a atacantes autenticados, con acceso de suscriptor o superior, cambiar las direcciones de correo electr\u00f3nico de cualquier usuario, incluyendo administradores, y aprovechar esta situaci\u00f3n para restablecer la contrase\u00f1a del usuario y acceder a su cuenta."}], "id": "CVE-2025-3848", "lastModified": "2025-07-03T15:14:12.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-02T04:15:52.193", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}