CVE-2025-12091 identifies a missing authorization vulnerability (CWE-862) in the Search, Filters & Merchandising for WooCommerce plugin for WordPress, affecting all versions up to and including 3.0.63. The vulnerability arises because the plugin's 'wcis_save_email' endpoint lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or above to invoke this endpoint and deactivate the plugin. This missing authorization means that attackers do not need elevated privileges such as Administrator or Editor roles to perform this action, significantly lowering the bar for exploitation. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but a partial impact on integrity due to unauthorized modification of plugin state. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability could be leveraged by attackers who have gained low-level authenticated access to disrupt e-commerce operations by disabling critical search and merchandising functionality on WooCommerce sites, potentially impacting sales and user experience.

The primary impact of this vulnerability is the unauthorized deactivation of the Search, Filters & Merchandising plugin, which can disrupt e-commerce site functionality by disabling search and filtering capabilities critical for product discovery and merchandising. This disruption can degrade user experience, reduce sales, and damage brand reputation. Since the vulnerability requires only Subscriber-level access, attackers who compromise low-privilege accounts or exploit weak authentication mechanisms can cause this disruption without needing administrative privileges. Although the vulnerability does not expose sensitive data or cause denial of service directly, the integrity of the e-commerce platform’s operational state is compromised. Organizations relying heavily on WooCommerce and this plugin for their online storefronts are at risk of operational disruption, which can have financial and reputational consequences. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

To mitigate this vulnerability, organizations should immediately restrict Subscriber-level users from accessing or invoking the 'wcis_save_email' endpoint by implementing custom capability checks or access controls at the web server or application firewall level. Monitoring and auditing user activities related to plugin management endpoints can help detect unauthorized attempts. Until an official patch is released, consider temporarily disabling the plugin if Subscriber-level access cannot be sufficiently restricted or isolating the plugin’s management endpoints behind additional authentication layers. Updating the plugin to a patched version once available is critical. Additionally, enforcing strong authentication policies, limiting user roles strictly to necessary privileges, and employing multi-factor authentication can reduce the risk of low-privilege account compromise. Regular backups of site configurations and plugin states will facilitate recovery if unauthorized deactivation occurs.