CVE-2025-26928

Vulnerability

Overview

The Order Limit for WooCommerce plugin (wc-order-limit-lite) versions up to and including 3.0.2 contain a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing unauthenticated users to perform actions that should require higher privileges. This is classified as a Broken Access Control issue [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the WordPress site without needing any authentication or valid nonce tokens. The attack surface is broad, as any site running the vulnerable plugin is potentially affected. No special network position or user interaction is required [1].

Impact

Successful exploitation could allow an attacker to manipulate order limit settings, potentially leading to unauthorized changes in WooCommerce order restrictions. However, the advisory notes that this vulnerability has a low severity impact and is unlikely to be exploited in mass campaigns [1].

Mitigation

The vulnerability is fixed in version 3.0.3 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting with a hosting provider or web developer is recommended [1].