CVE-2025-50008

Vulnerability

Overview The WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily plugin (innovs-woo-manager) for WordPress contains a broken access control vulnerability in versions n/a through 1.2.4.5 [1]. This is a missing authorization issue, meaning certain functions lack proper capability or nonce checks, allowing exploitation of incorrectly configured access control security levels.

Exploitation

Conditions An unauthenticated or low-privileged attacker can exploit this vulnerability without needing special permissions. The flaw occurs because the plugin fails to verify whether a user has the required privileges before performing sensitive actions. As noted in the advisory, broken access control issues like this are commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation could allow an attacker to modify WooCommerce-related settings or data, such as cart behavior, add-to-cart button functionality, or checkout fields. This could lead to unauthorized changes in store operations, potential data exposure, or further compromise of the site.

Mitigation

The vendor has not yet released a patched version; the advisory recommends updating immediately when available. As a workaround, users should contact their hosting provider or web developer for assistance, or consider disabling the plugin until a fix is released [1].