CVE-2025-14366 identifies a missing authorization vulnerability (CWE-862) in the dugudlabs Eyewear prescription form plugin for WordPress, affecting all versions up to 6.0.1. The vulnerability arises from the absence of proper authorization checks on the SubmitCatProductRequest AJAX action endpoint. This endpoint accepts parameters such as 'Name', 'Price', and 'Parent' which are used to create WooCommerce products. Due to the missing authorization, unauthenticated attackers can remotely invoke this AJAX action to create arbitrary products with custom attributes, including setting product names, prices, and category assignments. This unauthorized product creation can lead to data integrity issues within the WooCommerce store, potentially disrupting product catalogs, pricing structures, and inventory management. The vulnerability does not expose confidential information nor does it allow denial of service, but it undermines the integrity of e-commerce data. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but integrity impact present. No patches or exploits are currently published, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is a failure to implement authorization controls on a sensitive AJAX action within the WordPress plugin, a common security oversight in plugin development.

The primary impact of CVE-2025-14366 is on data integrity within WooCommerce stores using the vulnerable dugudlabs Eyewear prescription form plugin. Attackers can create arbitrary products with manipulated names, prices, and categories, potentially leading to fraudulent listings, pricing manipulation, and disruption of normal e-commerce operations. This could result in financial losses, customer confusion, and reputational damage for affected merchants. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to any WooCommerce site using this plugin. However, it does not directly compromise customer data confidentiality or site availability. The integrity compromise could also facilitate further attacks, such as injecting malicious product links or misleading customers. Organizations relying on this plugin for eyewear prescriptions or related e-commerce should consider the risk of unauthorized product injection and its downstream effects on business processes and customer trust.

To mitigate CVE-2025-14366, organizations should immediately update the dugudlabs Eyewear prescription form plugin to a patched version once available. In the absence of an official patch, administrators should implement custom authorization checks on the SubmitCatProductRequest AJAX action to ensure only authenticated and authorized users can create products. This can be done by modifying the plugin code to verify user capabilities such as 'manage_woocommerce' or 'edit_products' before processing requests. Additionally, monitoring WooCommerce product creation logs for unusual activity or spikes in product additions can help detect exploitation attempts. Employing a Web Application Firewall (WAF) with rules to block unauthorized AJAX requests targeting this endpoint can provide temporary protection. Regularly auditing installed WordPress plugins for security updates and minimizing the use of unnecessary plugins reduces attack surface. Finally, educating site administrators about the risks of installing unverified plugins and enforcing the principle of least privilege for user roles will help prevent similar vulnerabilities.