CVE-2026-48971

Vulnerability

Missing Authorization vulnerability in WebToffee's Product Import Export for WooCommerce plugin (versions through 2.5.6) allows attackers to exploit incorrectly configured access control security levels [1]. The plugin fails to properly verify user permissions before granting access to import/export features, making the functionality reachable without authentication under certain configurations.

Exploitation

An unauthenticated attacker with network access to the WordPress site can exploit the missing authorization by sending crafted requests to the import/export endpoints [1]. The vulnerability does not require any prior authentication or special privileges.

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the product import/export functionality, potentially leading to disclosure of sensitive product data (e.g., product lists, pricing) or modification of product inventory [1]. The impact is limited to the plugin's data scope.

Mitigation

Update to version 2.5.7 or later, which fixes the missing authorization check [1]. Users unable to update immediately should consult their hosting provider to apply security measures. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.