CVE-2025-12545 is an information exposure vulnerability classified under CWE-200, found in the Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress. This plugin integrates tracking and analytics capabilities for WooCommerce stores. The vulnerability resides in the ajax_pmw_get_product_ids() function, which is responsible for retrieving product IDs via AJAX requests. Due to insufficient access control checks, this function allows unauthenticated attackers to query product IDs and associated data from products that are password protected, private, or in draft status—categories that should normally be inaccessible to unauthorized users. The flaw arises because the plugin does not properly restrict which products can be included in the AJAX response, exposing sensitive product information. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The vulnerability affects all versions up to and including 1.49.2. Although no public exploits are currently known, the ease of exploitation and the exposure of sensitive data pose a tangible risk to WooCommerce sites using this plugin. The CVSS v3.1 base score is 5.3, indicating a medium severity with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack is network-based, requires no privileges or user interaction, and impacts confidentiality only. This vulnerability could lead to leakage of sensitive product details, potentially including pricing, inventory, or unpublished product information, which could be leveraged for competitive intelligence or other malicious purposes.

The primary impact of CVE-2025-12545 is unauthorized disclosure of sensitive product information from WooCommerce stores using the affected Pixel Manager plugin. This can compromise confidentiality by exposing data intended to be restricted, such as private or draft product details. For businesses, this could lead to competitive disadvantage, loss of customer trust, or leakage of strategic product plans. While the vulnerability does not affect data integrity or availability, the exposure of sensitive information can facilitate further attacks or social engineering. E-commerce sites relying on this plugin may inadvertently leak unpublished product data, pricing strategies, or inventory details. The risk is heightened for stores with sensitive or proprietary product information. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, potentially affecting any WooCommerce site using this plugin version worldwide. Although no known exploits exist currently, the vulnerability's ease of exploitation and the widespread use of WooCommerce increase the likelihood of future attacks. Organizations failing to address this vulnerability may face reputational damage and operational risks related to data confidentiality breaches.

To mitigate CVE-2025-12545, organizations should promptly update the Pixel Manager for WooCommerce plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to prevent exploitation. As an immediate workaround, restrict access to the AJAX endpoint ajax_pmw_get_product_ids() by implementing web application firewall (WAF) rules that block unauthenticated requests or limit access to trusted IP addresses. Additionally, review and tighten WordPress user role permissions to minimize exposure of private or draft products. Monitoring web server logs for suspicious AJAX requests targeting the vulnerable function can help detect exploitation attempts. Employing security plugins that enforce strict access controls on AJAX endpoints is advisable. Regularly audit and update all WooCommerce-related plugins to ensure known vulnerabilities are addressed. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential data exposure incidents.