CVE-2025-14365 is a vulnerability classified under CWE-862 (Missing Authorization) found in the dugudlabs Eyewear prescription form plugin for WordPress. This plugin, widely used to facilitate eyewear prescription submissions, integrates with WooCommerce for product management. The vulnerability exists because the RemoveItems AJAX action lacks proper capability checks, allowing unauthenticated attackers to invoke this action remotely. By manipulating the 'catIds' parameter, attackers can delete arbitrary WooCommerce product categories, including all nested child categories. This deletion compromises the integrity of the e-commerce product catalog, potentially disrupting business operations and causing loss of product data organization. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), but impacts integrity only (I:L) without affecting confidentiality or availability. No patches or exploits are currently known, but the vulnerability's presence in all versions up to 6.0.1 means that many installations remain exposed. The lack of authorization checks is a critical oversight in the plugin's design, emphasizing the need for secure coding practices in WordPress plugin development, especially when handling AJAX actions that modify data.

The primary impact of this vulnerability is on the integrity of WooCommerce product categories within affected WordPress sites. Unauthorized deletion of product categories can lead to significant disruption in e-commerce operations, including loss of product organization, potential revenue loss, and increased administrative overhead to restore deleted categories. While confidentiality and availability are not directly affected, the integrity compromise can indirectly affect availability if critical product categories are removed, causing confusion or inability to sell certain products. For organizations relying heavily on WooCommerce for online sales, this can degrade customer experience and damage brand reputation. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing the risk of automated or opportunistic attacks. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially if the vulnerability becomes publicly known.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the dugudlabs Eyewear prescription form plugin and upgrade to a patched version once available. In the absence of an official patch, administrators should implement manual capability checks on the RemoveItems AJAX action to ensure only authorized users can perform category deletions. This can be done by modifying the plugin code to verify user permissions against WooCommerce product category management capabilities before processing the request. Additionally, monitoring logs for unusual AJAX requests targeting RemoveItems and unexpected deletions of product categories can help detect exploitation attempts. Employing a Web Application Firewall (WAF) with custom rules to block unauthorized AJAX requests to this endpoint can provide a temporary protective layer. Regular backups of WooCommerce product data and categories are critical to enable rapid restoration in case of successful exploitation. Finally, educating site administrators about the risks of installing unverified plugins and encouraging the use of security best practices in plugin development can reduce future vulnerabilities.