CVE-2025-66528

Vulnerability

Overview The Thank You Page Customizer for WooCommerce plugin (versions up to and including 1.1.8) suffers from a missing authorization vulnerability. This broken access control issue arises from insufficient validation of user permissions or missing nonce tokens in certain functions, leading to incorrect access control security levels [1].

Exploitation

Details Attackers can exploit this vulnerability without requiring any authentication. By sending specially crafted requests, they can bypass intended access restrictions and perform actions that should be reserved for higher-privileged users. The attack surface is broad, as the vulnerability affects all websites running the affected plugin versions [1].

Impact

Successful exploitation could allow an unauthenticated attacker to access sensitive data or execute unauthorized operations within the WooCommerce environment. This may lead to data exposure, order manipulation, or other malicious activities, depending on the missing checks [1].

Mitigation

The vulnerability is addressed in version 1.1.9 of the plugin. Users are strongly advised to update to this version or later immediately. For Patchstack users, enabling auto-updates for vulnerable plugins can help prevent exploitation [1].