CVE-2025-12820

Missing

Authorization in Settings Update The Pure WC Variation Swatches WordPress plugin through version 1.1.7 contains a missing authorization vulnerability in its settings update functionality. The plugin fails to perform an authorization check (CWE-862) when processing requests to update its configuration [1]. This means that any authenticated user, regardless of their role or capabilities, can modify the plugin's settings.

Attack

Surface and Prerequisites The attack requires the attacker to be authenticated as a user on the WordPress site. No special privileges such as administrator or editor are needed; even a subscriber-level account can exploit this vulnerability. The attacker sends a crafted request to the settings update endpoint, and due to the lack of authorization verification, the request is processed successfully [1].

Impact

By exploiting this vulnerability, an authenticated attacker can change the plugin's settings arbitrarily. This could lead to changes in how product variations and swatches are displayed, potentially causing defacement or disrupting the functionality of the WooCommerce product pages. In some scenarios, the attacker might be able to inject malicious content or alter pricing data if those settings are exposed.

Mitigation

Status As of the publication date, there is no known fix for this vulnerability. The plugin version 1.1.7 is the last affected version, and no patched version has been released. Users are advised to disable the plugin or implement a workaround such as role-based access control until a fix becomes available [1].