CVE-2025-67580

The Constant Contact + WooCommerce plugin for WordPress contains a missing authorization vulnerability in versions up to and including 2.4.1. This is a broken access control issue where the plugin fails to properly enforce authentication, authorization, or nonce token checks in certain functions. As a result, unprivileged users can perform actions that should require higher privileges. [1]

Attackers can exploit this vulnerability by sending crafted HTTP requests to the affected plugin endpoints. No authentication or minimal privileges are required, making it accessible to unauthenticated or low-privilege users. The vulnerability is identified as being used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity. [1]

Successful exploitation allows an attacker to execute higher-privileged actions within the WordPress installation. This could include modifying plugin settings, accessing sensitive data, or performing actions that compromise the site's security. The impact is considered low severity but still requires attention due to the potential for widespread abuse. [1]

To mitigate the risk, users should update the plugin to version 2.4.2 or later, which addresses the vulnerability. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, it is recommended to ask the hosting provider or web developer for assistance. [1]