Medium severity4.3NVD Advisory· Published Mar 27, 2025· Updated Apr 23, 2026No known patch

CVE-2025-22673

No known patch is available for this vulnerability.

The affected plugin has been removed from the WordPress.org directory, and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2025-22673

Description

Missing authorization in WPFactory's EAN for WooCommerce plugin (≤5.3.5) allows unauthorized access due to incorrectly configured access control levels.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in WPFactory's EAN for WooCommerce plugin (≤5.3.5) allows unauthorized access due to incorrectly configured access control levels.

Vulnerability

Missing Authorization vulnerability in WPFactory EAN for WooCommerce (slug: ean-for-woocommerce) allows exploiting incorrectly configured access control security levels. The issue affects all versions from n/a through 5.3.5. The plugin has been closed/removed from the WordPress.org plugin directory as of April 27, 2026, pending a full review, meaning no patched version is distributed via that channel [1].

Exploitation

An attacker needs network access to the WooCommerce installation. No authentication or special privileges are explicitly required for exploitation per the available references; the vulnerability lies in incorrectly configured access control levels, potentially allowing any user to trigger unauthorized actions. The exact attack vector is not detailed in the references [1].

Impact

Successful exploitation could lead to unauthorized access or privilege escalation, compromising the confidentiality, integrity, or availability of data managed by the plugin. The attacker may gain ability to execute actions that should require higher privileges, such as reading or modifying sensitive inventory data, though the specific CIA outcome is not fully disclosed [1].

Mitigation

No patched version is currently available; the plugin has been removed from WordPress.org, and users are advised to uninstall it immediately. The closure is temporary pending a full review, but no fixed release date is known. Users should consider disabling or removing the plugin until a secure version is re-published [1].

References

[CLOSED] EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Ean For Woocommerceinferred
Range: <=5.3.5
Package: https://wordpress.org/plugins/ean-for-woocommerce
Wpfactory/Ean For Woocommercellm-fuzzy
Range: <=5.3.5

Patches

Plugin removedEAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventoryean-for-woocommerce

This plugin has been removed from the WordPress.org directory on 2026-04-27. No patched version is being distributed through the official directory. Users who have it installed should uninstall it.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/ean-for-woocommerce/vulnerability/wordpress-ean-barcode-generator-5-3-5-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000