CVE-2025-3848

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-3848
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-25171. Reason: This candidate is a reservation duplicate of CVE-2025-25171. Notes: All CVE users should reference CVE-2025-25171 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

24 Jul 2025, 21:15

Type Values Removed Values Added
Summary The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-25171. Reason: This candidate is a reservation duplicate of CVE-2025-25171. Notes: All CVE users should reference CVE-2025-25171 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CPE cpe:2.3:a:themesgrove:wp_smartpay:*:*:*:*:*:wordpress:*:*
References
  • {'url': 'https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51', 'name': 'https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51', 'tags': ['Product'], 'refsource': ''}
  • {'url': 'https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve', 'name': 'https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve', 'tags': ['Third Party Advisory'], 'refsource': ''}
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : unknown
CWE CWE-639

16 Jul 2025, 15:45

Type Values Removed Values Added
CPE cpe:2.3:a:themesgrove:wp_smartpay:*:*:*:*:*:wordpress:*:*
First Time Themesgrove wp Smartpay
Themesgrove
References () https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51 - () https://plugins.trac.wordpress.org/browser/smartpay/tags/2.7.13/app/Http/Controllers/Rest/CustomerController.php#L51 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c197e26f-745b-481a-a7b5-79d1211c02ea?source=cve - Third Party Advisory

02 Jul 2025, 04:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-02 04:15

Updated : 2025-07-24 21:15

NVD link : CVE-2025-3848

Mitre link : CVE-2025-3848

JSON object : View

Products Affected

No product.

CWE

No CWE.