CVE-2025-32226

Vulnerability

The WordPress plugin "Display product variations dropdown on shop page" (version 1.1.3 and earlier) contains a missing authorization vulnerability. The plugin fails to properly validate access control security levels, allowing incorrectly configured access control to be exploited. This affects all versions from n/a through 1.1.3 as disclosed in the CVE description. The plugin is developed by Anzar Ahmed and requires WordPress ≥ 4.7, PHP ≥ 7.0, and is tested up to WordPress 6.5.8. [1]

Exploitation

An attacker with network access to a WordPress site running the vulnerable plugin can exploit the missing authorization check. No authentication is required, as the vulnerability allows exploiting incorrectly configured access control security levels. The exact exploitation steps are not publicly detailed in available references, but the flaw resides in the plugin's handling of authorization for its functionality. [1]

Impact

Successful exploitation enables an attacker to bypass authorization mechanisms, potentially gaining access to functions or data that should be restricted. The impact includes the ability to exploit incorrectly configured access control security levels, which may lead to unauthorized disclosure of information or modification of plugin settings. The CVSS v3 score is 4.3 (Medium). [1]

Mitigation

As of the publication date (2025-04-04), a patched version has not been released. The last update to the plugin was version 1.1.3 on 2024-05-31. Users should disable the plugin until a security update is available. Alternatively, apply strong access control measures at the WordPress level, such as restricting access to the plugin's pages to authenticated users only. This CVE is not listed in CISA KEV as of the publication date.