High severity7.2NVD Advisory· Published Feb 19, 2026· Updated Apr 15, 2026

CVE-2025-12975

Description

The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.

Affected products

WordPress/Webappick Product Feed For Woocommercereferences
Package: https://wordpress.org/plugins/webappick-product-feed-for-woocommerce

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
wordpress.org/plugins/webappick-product-feed-for-woocommerce/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/4f77f4cd-f4b3-42bc-a1a9-e5df5daa42b7nvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)
Wordfence Blog · Apr 16, 2026

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000