CVE-2025-12545 is an information exposure vulnerability classified under CWE-200, found in the Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress. The vulnerability resides in the ajax_pmw_get_product_ids() function, which improperly restricts access to product data. This flaw allows unauthenticated attackers to retrieve product IDs and associated data from products that are password protected, private, or in draft status—categories that should normally be inaccessible without proper authorization. The root cause is insufficient access control checks within the AJAX handler, enabling data leakage through crafted requests. The vulnerability affects all plugin versions up to and including 1.49.2. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, no privileges required, no user interaction, and impact limited to confidentiality loss. There is no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and documented. This exposure could allow attackers to gather sensitive business intelligence or product details that could be leveraged for further attacks or competitive disadvantage. The plugin is widely used in WooCommerce-based e-commerce sites, which are prevalent in Europe. The vulnerability's exploitation is straightforward, requiring only a network request without authentication or user interaction, increasing its risk profile. The lack of a patch at the time of disclosure necessitates interim mitigations to prevent data leakage.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive product information, including details of products not yet published or restricted by password or privacy settings. This could lead to competitive intelligence leaks, exposure of pricing strategies, or premature disclosure of new product launches. While it does not directly affect system integrity or availability, the confidentiality breach could undermine customer trust and violate data protection principles if product data includes personal or sensitive information. E-commerce businesses relying on WooCommerce and this plugin may face reputational damage and potential regulatory scrutiny under GDPR if personal data is indirectly exposed. The ease of exploitation without authentication increases the threat, especially for organizations with public-facing WooCommerce stores. Attackers could automate data harvesting at scale, affecting multiple organizations. The impact is particularly significant for high-value retail sectors and businesses with sensitive or proprietary product catalogs.

Organizations should monitor the vendor's announcements for an official patch and apply it promptly once available. Until a patch is released, administrators can implement custom access controls at the web server or application firewall level to restrict access to the ajax_pmw_get_product_ids() endpoint, limiting it to authenticated and authorized users only. Reviewing and tightening WordPress user roles and permissions can reduce exposure. Employing security plugins that monitor and block suspicious AJAX requests may help mitigate exploitation attempts. Additionally, organizations should audit their WooCommerce product visibility settings and avoid storing sensitive data in product fields accessible via AJAX. Regular security assessments and penetration tests focusing on plugin vulnerabilities are recommended. Finally, logging and monitoring access to AJAX endpoints can help detect exploitation attempts early.