CVE-2025-64382

Vulnerability

Overview CVE-2025-64382 is a missing authorization vulnerability in the WebToffee Order Export & Order Import for WooCommerce plugin for WordPress, affecting versions up to and including 2.6.7. The plugin fails to properly enforce access control checks on certain functions, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges [1].

Exploitation

An attacker can exploit this broken access control by sending crafted requests to the plugin's endpoints without needing any authentication or with only subscriber-level access. The vulnerability is classified as a broken access control issue, meaning the plugin does not verify nonce tokens or user capabilities before executing sensitive operations [1]. This makes it possible for attackers to trigger actions such as exporting or importing order data without proper authorization.

Impact

Successful exploitation could allow an attacker to access or modify order data, potentially leading to data breaches or manipulation of WooCommerce orders. While the CVSS score is 4.3 (Medium), the vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 2.6.8 which addresses the missing authorization checks. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].