CVE-2025-3063 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-3063 Interim 1 1 2026-03-05T01:33:07Z current 2026-03-05T01:33:07Z 2026-03-05T01:33:07Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-3063 The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP6 openSUSE Leap 15.6 openSUSE Leap 16.0 openSUSE Tumbleweed chromedriver-145.0.7632.116-1.1 chromedriver-145.0.7632.116-bp156.2.242.1 chromedriver-145.0.7632.116-bp160.1.1 chromium-145.0.7632.116-1.1 chromium-145.0.7632.116-bp156.2.242.1 chromium-145.0.7632.116-bp160.1.1 chromedriver-145.0.7632.116-bp156.2.242.1 as a component of SUSE Package Hub 15 SP6 chromium-145.0.7632.116-bp156.2.242.1 as a component of SUSE Package Hub 15 SP6 chromedriver-145.0.7632.116-bp156.2.242.1 as a component of openSUSE Leap 15.6 chromium-145.0.7632.116-bp156.2.242.1 as a component of openSUSE Leap 15.6 chromedriver-145.0.7632.116-bp160.1.1 as a component of openSUSE Leap 16.0 chromium-145.0.7632.116-bp160.1.1 as a component of openSUSE Leap 16.0 chromedriver-145.0.7632.116-1.1 as a component of openSUSE Tumbleweed chromium-145.0.7632.116-1.1 as a component of openSUSE Tumbleweed The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2025-3063 SUSE Package Hub 15 SP6:chromedriver-145.0.7632.116-bp156.2.242.1 SUSE Package Hub 15 SP6:chromium-145.0.7632.116-bp156.2.242.1 openSUSE Leap 15.6:chromedriver-145.0.7632.116-bp156.2.242.1 openSUSE Leap 15.6:chromium-145.0.7632.116-bp156.2.242.1 openSUSE Leap 16.0:chromedriver-145.0.7632.116-bp160.1.1 openSUSE Leap 16.0:chromium-145.0.7632.116-bp160.1.1 openSUSE Tumbleweed:chromedriver-145.0.7632.116-1.1 openSUSE Tumbleweed:chromium-145.0.7632.116-1.1 important