CVE-2025-32234

Vulnerability

A missing authorization vulnerability exists in the AdMail – Multilingual Back in-Stock Notifier for WooCommerce plugin (admail) for WordPress, affecting versions through 1.7.0. The plugin fails to properly validate access control security levels, allowing exploitation of incorrectly configured access controls by users who should not have permission to perform privileged actions [1].

Exploitation

An attacker needs a low-privileged WordPress account (e.g., subscriber or customer) and network access to the site. By sending crafted requests to certain plugin endpoints, the attacker can leverage the missing authorization checks to perform actions intended for higher-privileged users such as administrators or shop managers [1].

Impact

Successful exploitation allows an attacker to access or modify plugin settings, manage subscription data, or perform other administrative actions without proper authorization. This could lead to disclosure of sensitive information (e.g., customer email addresses) or disruption of the back-in-stock notification service [1].

Mitigation

The vendor has not released a patched version as of the disclosure date. Users are advised to disable the plugin until a security update is provided. The plugin is available on the WordPress plugin repository, and administrators should monitor for updates. There is no known workaround [1].