The vulnerability identified as CVE-2025-13314 affects the 'Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus' plugin for WordPress, developed by markutos987. This plugin facilitates product filtering on WooCommerce stores by categories, tags, and price ranges. The core issue is a missing authorization (CWE-862) on two AJAX endpoints: 'filter_save_settings' and 'add_filter_options'. These endpoints lack capability checks, allowing unauthenticated attackers to invoke them and modify the plugin's settings arbitrarily. This can lead to unauthorized creation or alteration of filter options, potentially manipulating how products are displayed or filtered on the e-commerce site. The vulnerability affects all versions up to and including 1.1.5. The CVSS v3.1 score is 5.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). No patches or updates are currently linked, and no known exploits have been reported in the wild. The vulnerability could be exploited remotely without authentication, making it a significant risk for affected sites.

The primary impact of this vulnerability is the unauthorized modification of plugin settings, which compromises the integrity of the e-commerce site's filtering functionality. Attackers could manipulate product filters to mislead customers, hide or highlight specific products, or disrupt the shopping experience. Although confidentiality and availability are not directly affected, the integrity compromise can damage customer trust, lead to revenue loss, and potentially facilitate further attacks by altering site behavior. Since the vulnerability requires no authentication and can be exploited remotely, any WooCommerce store using the affected plugin version is at risk. This could be particularly damaging for high-traffic e-commerce sites relying on accurate product filtering for sales and customer satisfaction.

To mitigate this vulnerability, organizations should immediately update the plugin to a version that includes proper authorization checks once available. In the absence of an official patch, site administrators can implement temporary workarounds such as restricting access to the vulnerable AJAX endpoints via web application firewall (WAF) rules or server-level access controls to allow only trusted IP addresses. Additionally, monitoring and logging AJAX requests to detect suspicious activity targeting 'filter_save_settings' and 'add_filter_options' actions can help identify exploitation attempts. It is also advisable to review and harden WordPress user roles and permissions to minimize the impact of any unauthorized changes. Regular backups of plugin settings and site data should be maintained to enable quick restoration if unauthorized modifications occur.