CVE-2025-49998

Vulnerability

Summary The WooCommerce Fortnox Integration plugin for WordPress contains a missing authorization vulnerability (broken access control) in versions <= 4.5.5. This flaw arises from the plugin failing to properly verify user permissions before allowing access to certain functions, enabling attackers to bypass security checks [1].

Exploitation

Method The vulnerability can be exploited without authentication or with minimal privileges, making it suitable for mass-exploit campaigns that target thousands of websites regardless of their size or popularity [1]. Attackers can send crafted requests to exploit the incorrectly configured access control security levels.

Impact

Successful exploitation allows an unauthorized user to execute higher-privileged actions within the plugin, such as modifying orders, accessing sensitive data, or performing administrative operations without proper authorization [1]. This could lead to data integrity issues or further compromise.

Mitigation

The plugin vendor has released version 4.5.6, which addresses the vulnerability. Users are strongly advised to update immediately or enable auto-updates if using Patchstack [1]. For those unable to update, consulting with a hosting provider or web developer is recommended as a temporary measure.