Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-19677 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-25171. Reason: This candidate is a reservation duplicate of CVE-2025-25171. Notes: All CVE users should reference CVE-2025-25171 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. |
No reference.
Thu, 24 Jul 2025 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-639 | |
| CPEs | ||
| Vendors & Products |
Themesgrove
Themesgrove wp Smartpay |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Thu, 24 Jul 2025 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover | |
| Metrics |
ssvc
|
Thu, 24 Jul 2025 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-25171. Reason: This candidate is a reservation duplicate of CVE-2025-25171. Notes: All CVE users should reference CVE-2025-25171 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. |
Wed, 16 Jul 2025 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Themesgrove
Themesgrove wp Smartpay |
|
| CPEs | cpe:2.3:a:themesgrove:wp_smartpay:*:*:*:*:*:wordpress:*:* | |
| Vendors & Products |
Themesgrove
Themesgrove wp Smartpay |
Wed, 02 Jul 2025 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 02 Jul 2025 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |
| Title | Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: REJECTED
Assigner: Wordfence
Published:
Updated: 2025-07-24T20:13:31.277Z
Reserved: 2025-04-21T13:47:42.362Z
Link: CVE-2025-3848
Updated:
Status : Rejected
Published: 2025-07-02T04:15:52.193
Modified: 2025-07-24T21:15:28.740
Link: CVE-2025-3848
No data.
OpenCVE Enrichment
No data.
No weakness.
EUVD