CVE-2025-6730
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify opt-in status settings without proper authorization. It affects all WordPress sites using the Bonanza – WooCommerce Free Gifts Lite plugin version 1.0.0 or earlier. The flaw exists in the xlo_optin_call() function which lacks proper capability checks.
💻 Affected Systems
- Bonanza – WooCommerce Free Gifts Lite WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate opt-in tracking data, potentially affecting marketing analytics, compliance reporting, or enabling further privilege escalation through chained attacks.
Likely Case
Unauthorized users modify opt-in statuses, compromising data integrity and potentially affecting email marketing campaigns or user consent tracking.
If Mitigated
With proper user role management and monitoring, impact is limited to data integrity issues within the plugin's opt-in functionality.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/bonanza-woocommerce-free-gifts-lite/trunk/xl/includes/class-xl-opt-in-manager.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Bonanza – WooCommerce Free Gifts Lite'
4. Click 'Update Now' if update is available
5. Alternatively, download version 1.0.1+ from WordPress plugin repository and manually update
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate bonanza-woocommerce-free-gifts-lite
Restrict user roles
allLimit Subscriber role creation and review existing low-privilege accounts
🧯 If You Can't Patch
- Remove the plugin entirely if not essential for site functionality
- Implement web application firewall rules to monitor for suspicious opt-in API calls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Bonanza – WooCommerce Free Gifts Lite. If version is 1.0.0 or lower, you are vulnerable.Check Version:
wp plugin get bonanza-woocommerce-free-gifts-lite --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.0.1 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=xlo_optin_call from low-privilege users
- Multiple opt-in status changes from single user accounts
Network Indicators:
- HTTP POST requests containing 'xlo_optin_call' parameter from non-administrator IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "xlo_optin_call" AND (user_role="subscriber" OR user_role="contributor")