CVE-2025-31377

Vulnerability

The Woo Product Feed For Marketing Channels plugin for WordPress (slug: woocommerce-to-google-merchant-center) contains a Missing Authorization vulnerability affecting versions from n/a through 1.9.0. The flaw resides in the plugin's access control logic, which fails to properly validate user permissions for certain actions, allowing exploitation of incorrectly configured access control security levels. The plugin has been closed and removed from the WordPress.org plugin directory as of April 9, 2025 due to this security issue [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or any special privileges. By sending crafted HTTP requests to the vulnerable endpoints, an attacker can bypass the intended authorization checks. No direct user interaction is needed, and the attack can be launched remotely over the network.

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the plugin's context, potentially leading to the disclosure or modification of sensitive data, such as product feed configurations or marketing channel settings. The full scope of impact is not detailed in the available references, but the high severity CVSS score (7.5) and the plugin's removal from the official directory indicate a significant risk.

Mitigation

No patched version is available, as the plugin was closed and removed from the WordPress.org plugin repository on April 9, 2025 without any prior security update [1]. Users who have this plugin installed should uninstall it immediately. There is no official workaround provided in the available references. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.