CVE-2025-31406

Vulnerability

Overview The ELEX WooCommerce Request a Quote plugin for WordPress versions up to and including 2.3.9 suffers from a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing unauthenticated users to perform actions that should require higher privileges [1]. The issue is classified as a broken access control vulnerability, a common type that can be exploited in mass campaigns targeting thousands of sites regardless of size or popularity [1].

Exploitation

Details Attackers can exploit this vulnerability without authentication, as the plugin fails to properly verify user permissions before executing certain functions. The attack surface is broad because the plugin is widely used in WooCommerce stores to manage quote requests. No special network position is required; the exploit can be triggered via crafted HTTP requests to the WordPress installation [1].

Impact

Successful exploitation could allow an attacker to access or modify sensitive data, such as quote requests, customer information, or plugin settings. This could lead to data breaches, unauthorized changes, or further compromise of the WordPress site. The vulnerability is particularly dangerous because it can be automated and used in large-scale attacks [1].

Mitigation

The vendor has not released a patch for this specific version range (n/a through 2.3.9). Users are strongly advised to update the plugin to the latest available version as soon as possible. If updating is not feasible, contacting the hosting provider or a web developer for assistance is recommended. The vulnerability is actively monitored and may be added to the CISA Known Exploited Vulnerabilities catalog [1].