CVE-2025-47602

The vulnerability is a missing authorization check in the WordPress plugin 'Calculate Prices based on Distance For WooCommerce' (versions <=1.3.5). This allows exploitation of incorrectly configured access control security levels, meaning functions that should require higher privileges are accessible to lower-privileged users or even unauthenticated visitors [1].

An attacker can exploit this by sending crafted requests to vulnerable endpoints without proper capability checks. No authentication is required, making it possible for anyone with access to the site to trigger the vulnerability. The attack surface is any WordPress site running the affected plugin version [1].

Successful exploitation enables an attacker to perform actions that should be restricted, such as modifying plugin settings or accessing sensitive data. This could lead to unauthorized changes in price calculations or other administrative functions, potentially affecting e-commerce operations [1].

The vendor has patched the issue in version 1.3.6. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability is considered low severity but is still a risk for sites using affected versions [1].