CVE-2025-14366 is a vulnerability categorized under CWE-862 (Missing Authorization) found in the dugudlabs Eyewear prescription form plugin for WordPress, affecting all versions up to and including 6.0.1. The core issue is the absence of proper authorization checks on the SubmitCatProductRequest AJAX action, which is responsible for handling product creation requests. This flaw enables unauthenticated attackers to remotely invoke this AJAX endpoint and create arbitrary WooCommerce products by specifying parameters such as 'Name', 'Price', and 'Parent' (category assignment). Since WooCommerce is a widely used e-commerce platform for WordPress, unauthorized product creation can lead to data integrity issues, including the insertion of fraudulent or misleading products, price manipulation, or cluttering the product catalog. The vulnerability does not expose confidential information nor does it allow denial of service, but it compromises the integrity of the e-commerce store's product data. Exploitation is straightforward as it requires no authentication or user interaction and can be performed remotely over the network. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild, although the risk remains significant due to the ease of exploitation. The vulnerability was assigned a CVSS v3.1 base score of 5.3, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N).

For European organizations, especially those operating WooCommerce-based e-commerce sites using the dugudlabs Eyewear prescription form plugin, this vulnerability poses a risk of unauthorized product creation. This can lead to several operational and reputational impacts: disruption of product catalogs with fake or misleading products, potential financial losses due to price manipulation, customer confusion or mistrust, and increased administrative overhead to identify and remove unauthorized entries. While the vulnerability does not directly compromise customer data confidentiality or site availability, the integrity breach can undermine trust in the e-commerce platform. Additionally, attackers could use the unauthorized product creation capability as a foothold for further attacks or to distribute malicious content via product descriptions or links. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is easy to exploit remotely without authentication. European organizations with high e-commerce activity and reliance on WordPress/WooCommerce plugins should consider this a moderate operational risk.

1. Immediate mitigation should focus on restricting access to the SubmitCatProductRequest AJAX action by implementing proper authorization checks to ensure only authenticated and authorized users can create products. 2. Apply web application firewall (WAF) rules to detect and block suspicious AJAX requests attempting to create products without valid credentials. 3. Monitor WooCommerce product listings regularly for unusual or unauthorized entries, including unexpected product names, prices, or categories. 4. Disable or remove the dugudlabs Eyewear prescription form plugin if it is not essential to business operations until a patch is released. 5. Engage with the plugin vendor to obtain updates or patches addressing the vulnerability as soon as they become available. 6. Harden WordPress installations by following best practices such as limiting plugin usage, enforcing strong authentication, and keeping all components up to date. 7. Conduct security audits and penetration testing focusing on AJAX endpoints and authorization controls to identify similar weaknesses. 8. Educate site administrators about the risks of unauthorized product creation and encourage vigilance in monitoring site content.