CVE-2025-62935

Vulnerability

Overview

The Open Close WooCommerce Store plugin for WordPress (woc-open-close) versions up to and including 5.0.0 suffer from a missing authorization vulnerability. This issue arises from incorrect configuration of access control security levels, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability by sending crafted requests to the plugin's functions that lack proper authorization checks. No authentication is required, making it possible for anyone with network access to the WordPress site to trigger the missing authorization flaw. The vulnerability is considered part of a broken access control category, which is common in WordPress plugins [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions, such as modifying plugin settings or accessing restricted data. This can lead to further compromise of the WordPress site, including potential denial of service or data manipulation. The CVSS v3 base score of 4.3 (Medium) reflects the potential for exploitation without authentication but with some limitations on impact [1].

Mitigation

The vendor has not released a patch beyond version 5.0.0, and users are advised to update the plugin to the latest available version. If an update is not possible, consider disabling the plugin or implementing additional access controls via a Web Application Firewall (WAF) or server-level rules. This vulnerability is noted as being used in mass-exploit campaigns, so immediate action is recommended [1].