CVE-2025-66114

The Show Variations as Single Products WooCommerce plugin for WordPress (versions up to and including 2.0) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing unauthenticated users to perform actions that should require higher privileges [1].

Exploitation requires no authentication and can be carried out remotely. The vulnerability is classified as a broken access control issue, meaning the plugin does not verify user permissions before executing sensitive operations. This makes it possible for attackers to bypass security restrictions without needing any special access [1].

An attacker exploiting this flaw can access or modify protected functionality, potentially leading to unauthorized changes to product variations or other settings. The CVSS v3 score of 5.3 reflects the medium severity, with low impact on confidentiality and integrity but no impact on availability [1].

The vendor has released version 3.0 which addresses the vulnerability. Users are strongly advised to update to version 3.0 or later. For those unable to update immediately, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].