CVE-2025-31865

Vulnerability

A missing authorization vulnerability exists in the CartBoss plugin for WooCommerce, specifically in versions from n/a through 4.1.2 [1]. The issue resides in the plugin's access control implementation, where incorrectly configured security levels allow unauthorized actions without proper permission checks.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the plugin's endpoints that lack proper authorization checks. No privileged access or user interaction is required, as the flawed access control logic is reachable directly via HTTP requests [1].

Impact

Successful exploitation enables an attacker to perform actions that should be restricted to authenticated users with specific roles. This could lead to unauthorized configuration changes or data access, compromising the integrity and confidentiality of the WooCommerce store's settings and customer data [1].

Mitigation

The vulnerability affects CartBoss versions up to and including 4.1.2. According to the plugin repository [1], version 4.2.1 is the latest available update, but the reference does not explicitly confirm whether this version contains the fix. Users should update to the latest version (4.2.1) if available and monitor vendor advisories for confirmation of patched releases.