CVE-2025-48117

Vulnerability

The WooCommerce POS plugin (woocommerce-pos) for WordPress versions 1.7.8 and earlier contain a missing authorization vulnerability [1]. This issue resides in the plugin's access control checks, which are insufficiently enforced for certain actions or endpoints, allowing exploitation of incorrectly configured access control security levels.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted requests to the plugin's endpoints without requiring prior authentication or user interaction [1]. Only network access to the vulnerable WordPress site is needed. The lack of proper authorization checks means the attacker can trigger actions that should be restricted.

Impact

Successful exploitation could enable an attacker to bypass access controls and perform unauthorized actions within the WooCommerce POS system. Depending on the specific missing authorization, this may lead to information disclosure or privilege escalation, allowing the attacker to view or modify data they should not have access to [1].

Mitigation

Users should update to the latest version of the plugin (1.9.1 or later) which contains the fix [1]. If immediate upgrade is not possible, review and harden access control configurations as a temporary measure. The vulnerability is fixed in version 1.9.1, released after 1.7.8.