CVE-2025-66089

Vulnerability

Overview

The Product Feed for WooCommerce plugin by WebToffee (versions up to and including 2.3.1) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing exploitation of incorrectly configured access control security levels [1]. This is a classic broken access control issue where the software does not verify that a user has the necessary permissions before performing a privileged action is executed.

Exploitation

Conditions

An attacker can exploit this vulnerability without needing any authentication, as the missing authorization check means no valid user session or privilege is required. The attack vector is network-based and requires no special user interaction. The vulnerability is classified as low complexity, making it relatively easy to exploit [1]. Such vulnerabilities are commonly used in mass-exploitable and can be used to target thousands of websites simultaneously, regardless of site size or popularity.

Impact

Successful exploitation allows an unprivileged attacker to perform actions that should be restricted to higher-privileged users. This could include modifying product feed settings, accessing sensitive data, or performing other unauthorized operations within the WordPress installation. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with limited to confidentiality and integrity impacts [1].

Mitigation

The vendor has released version 2.3.2 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].