CVE-2025-66071

Vulnerability

Overview The Custom Order Numbers for WooCommerce plugin for WordPress suffers from a missing authorization vulnerability (CVE-2025-66071). The plugin fails to properly enforce access controls on certain functions, allowing unauthenticated or low-privileged users to execute actions that should require higher permissions [1].

Exploitation

Details Attackers can exploit this flaw by sending specially crafted HTTP requests to the plugin's endpoints without needing any authentication. The vulnerability is classified as a broken access control issue, meaning the plugin does not verify that the user has the necessary capabilities before performing sensitive operations [1]. This makes it possible for attackers to target thousands of websites in mass-exploit campaigns.

Impact

Successful exploitation could allow an attacker to modify order numbers or other settings, potentially disrupting e-commerce operations or causing data integrity issues. The CVSS v3 score of 5.3 reflects a medium severity, but the ease of exploitation and the potential for automated attacks increase the risk [1].

Mitigation

The vendor has released version 1.11.1 of the plugin, which addresses the missing authorization checks. Users are strongly advised to update immediately. If updating is not possible, consider disabling the plugin or implementing additional access controls. The advisory notes that this vulnerability is actively used in mass-exploit campaigns, so prompt action is critical [1].