CVE-2025-24625

Vulnerability

A missing authorization vulnerability exists in the WordPress plugin Taxonomy/Term and Role-based Discounts for WooCommerce (taxonomy-discounts-woocommerce) up to and including version 5.1. The issue allows attackers to bypass access control checks [1]. The plugin provides automatic WooCommerce price discounts based on product category, tag, attribute, brand, or custom taxonomy, applied to all users, logged-in users, or specific WordPress user roles.

Exploitation

An attacker does not require any authentication or special privileges to exploit this vulnerability. The missing authorization occurs due to incorrectly configured access control security levels within the plugin's discount rule handling. The attacker can directly access sensitive functionality without proper permission verification [1].

Impact

Successful exploitation enables an attacker to bypass the intended access control restrictions, potentially allowing them to modify or view discount rules or apply discounts without proper authorization. This could lead to unauthorized configuration changes or information disclosure [1].

Mitigation

As of this publication, the vulnerability exists in plugin versions up to 5.1. Users are advised to update to a patched version if available; however, the available references do not specify a fixed version number [1]. The plugin is available via the WordPress plugin directory, and users should monitor for security updates. If no patch is yet released, consider disabling or removing the plugin until a fix is available.