CVE-2025-68994

Vulnerability

Overview A Missing Authorization vulnerability has been discovered in the XforWooCommerce Product Loops for WooCommerce plugin (product-loops) for WordPress. Versions from n/a through 2.1.2 are affected. The issue stems from an incorrectly configured access control security level, leaving certain functions unprotected by proper authorization checks [1].

Exploitation

Details This broken access control vulnerability can be exploited by unauthenticated or low-privileged users who lack the necessary permissions. Attackers can target the plugin's vulnerable functions without needing to authenticate as an administrator, making the attack surface accessible to a wide range of potential threat actors [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions that should normally require higher privileges. Given that this plugin is used on WooCommerce sites, the impact may include manipulation of product-related data, exposure of sensitive information, or other unintended operations within the context of the affected WordPress installation [1].

Mitigation

The plugin vendor has likely not released a patch beyond version 2.1.2. The advisory strongly recommends updating the plugin immediately. If an update is unavailable, users should engage their hosting provider or web developer to implement workarounds or restrict access to the plugin's functionalities [1].