CVE-2025-47472

Vulnerability

Overview

The Music Player for WooCommerce plugin for WordPress, versions up to and including 1.5.1, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing unauthorized users to perform actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending crafted requests to the plugin's endpoints. The broken access control issue means that functions or API endpoints lack proper authorization checks, enabling unprivileged users to execute higher-privileged actions [1].

Impact

Successful exploitation could allow an attacker to modify plugin settings, access sensitive data, or perform other unauthorized operations within the WordPress installation. While the vendor rates this as low severity and unlikely to be exploited, such vulnerabilities are known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability has been patched in version 1.6.0. Users are strongly advised to update the plugin immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].