Two significant security vulnerabilities in the popular Woffice WordPress theme that could allow attackers to gain unauthorized control or access have been patched.
The Woffice theme, a premium product developed by Xtendify with over 15,000 sales, provides team and project management functionality for WordPress.
According to a report by Patchstack, the first vulnerability is a privilege escalation flaw that enables unauthenticated users to register as any role, including administrator. This could allow attackers to gain full control of an affected website. The second enables unauthenticated account takeover (ATO), allowing attackers to log in as any existing user, including the site administrator.
Both issues were found in the theme’s custom login and registration functionality.
Woffice Users Advised to Patch Now
Patches for these vulnerabilities have now been released.
To address the privilege escalation issue, the developers implemented a denylist to prevent unauthorized role registration and explicitly block administrator roles. For the account takeover vulnerability, they completely removed the flawed register_redirect() function that allowed unauthorized logins.
These patches were released in stages. Version 5.4.12 fixed the privilege escalation vulnerability, while version 5.4.15 addressed the account takeover flaw. The final patch was released on November 18 2024, after thorough testing and validation.
Woffice users should update to version 5.4.15 immediately to secure their sites. Failing to update could leave websites vulnerable to full takeovers or malicious server code installations.
“The vulnerabilities discussed here highlight the importance of secure registration,” Patchstack warned. “Administrators, reasonably, have a very impactful amount of power when it comes to control over a WordPress site – allowing unknown users this level of privilege can be extremely dangerous.”
The company also advised developers to adopt strict role validation and authentication measures to avoid similar vulnerabilities in custom login and registration systems. These safeguards are essential for maintaining a secure WordPress environment.
Image credit: Wirestock Creators / Shutterstock.com