CVE-2025-60247

Vulnerability

Overview The Bux Woocommerce plugin for WordPress (versions 1.2.3 and below) contains a Missing Authorization vulnerability, classified as a Broken Access Control issue [1]. The plugin fails to properly constrain access to certain functions, meaning that functionality that should require higher privileges is exposed without adequate ACL checks [1].

Attack

Vector An attacker can exploit this vulnerability by sending crafted requests to the affected endpoints without needing any authentication or prior access. Because the plugin omits authorization or nonce token checks in key functions, any user—or even unauthenticated visitors—can trigger privileged actions [1]. The attack surface is broad; such flaws are commonly targeted in mass-exploit campaigns against large numbers of WordPress sites [1].

Impact

Successful exploitation could allow an attacker to access or execute functionality that is intended only for administrators or other authorized roles. The exact capabilities gained depend on the unprotected functions, but could include modifying settings, retrieving sensitive data, or performing other unauthorized operations [1]. The vulnerability is rated with a CVSS v3 score of 6.5 (Medium) and is considered moderately dangerous [1].

Mitigation

The vendor has released patched versions; users are strongly advised to update the plugin immediately. If immediate updating is not possible, site owners should contact their hosting provider or a web developer for assistance [1]. No workarounds beyond updating have been published.