CVE-2025-67599

The WebToffee eCommerce Marketing Automation plugin (decorator-woocommerce-email-customizer) for WordPress contains a broken access control vulnerability in versions up to and including 2.1.1. The issue stems from missing authorization checks in one or more functions, meaning access control security levels are not properly enforced. This allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation does not require authentication; an attacker can send crafted requests to the vulnerable endpoint without any prior login. The attack surface is the plugin's REST API or admin-facing functions that lack proper capability checks. No specific network position is needed beyond standard internet access to the target site [1].

An attacker exploiting this vulnerability can perform unauthorized administrative actions, such as modifying plugin settings, accessing sensitive data, or altering email templates. While the CVSS v3 score of 4.3 indicates medium severity, the vulnerability is considered low severity in the WordPress context and unlikely to be exploited in mass campaigns, though similar flaws are often used in automated attacks [1].

A patched version 2.1.2 is available, and users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1].