CVE-2025-60159

Vulnerability

Description The Nota Fiscal Eletrônica WooCommerce plugin for WordPress, up to version 3.4.0.9, suffers from a missing authorization vulnerability. This is a broken access control issue where certain functions lack proper permission checks, authentication, or nonce token validation. The absence of these controls potentially allows an unprivileged user to perform actions that should require higher privileges [1].

Exploitation

Context Exploitation requires no special authentication or network position; an attacker can exploit this vulnerability to attack thousands of websites at once, regardless of their size or popularity [1]. The low CVSS score (4.3) reflects a medium severity, but the potential for mass exploitation campaigns exists [1].

Impact

If exploited, an attacker could execute higher-privileged actions within the plugin, leading to unauthorized configuration changes or data exposure. The impact is considered low severity but could be part of a larger attack chain.

Mitigation

Users are advised to update the plugin to version 3.4.1.0 or later, which resolves the issue. For those unable to update immediately, contacting a hosting provider or web developer for assistance is recommended [1]. Auto-update features (if available) can also be enabled to keep the plugin secure [1].