CVE-2025-49350

The Actionwear products sync plugin for WordPress (versions up to and including 2.3.3) contains a missing authorization vulnerability. This broken access control issue means that certain functions lack proper permission checks, allowing unauthenticated users to execute actions that should require higher privileges [1].

Exploitation does not require authentication. An attacker can send crafted requests to the vulnerable endpoints to trigger actions intended for administrators or other privileged roles. The plugin's failure to validate nonce tokens or user capabilities makes it possible for unauthenticated attackers to exploit this flaw [1].

The impact is that an attacker can perform unauthorized actions, such as modifying product sync settings or accessing sensitive data. This could lead to further compromise of the WordPress site. The vulnerability is rated Medium with a CVSS score of 4.3, and it is noted that such flaws are often used in mass-exploit campaigns [1].

As a mitigation, users should update the plugin to a patched version if available. If no update is available, consider disabling the plugin or implementing additional access controls. The vendor has been notified, and the advisory recommends immediate action [1].