Severity
High
Analysis Summary
CVE-2025-11533 CVSS:9.8
The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
CVE-2025-6439 CVSS:9.8
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
Impact
- Privilege Escalation
- Gain Access
Indicators of Compromise
CVE
CVE-2025-11533
CVE-2025-6439
Affected Vendors
- WordPress
Affected Products
- ApusTheme WP Freeio *
- JMA Plugins WooCommerce Designer Pro *
Remediation
Update the WordPress plugin to the latest available version.