CVE-2025-22667 identifies a Missing Authorization vulnerability in the Creative Werk Designs WordPress plugin 'Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets' (wpsyncsheets-woocommerce), affecting all versions up to and including 1.8.2. The vulnerability stems from the plugin's failure to enforce proper authorization checks on its export functionalities, which allow exporting sensitive WooCommerce data such as orders, products, customer information, and coupons directly to Google Sheets. This lack of access control means that unauthenticated or unauthorized users could potentially trigger export operations, leading to unauthorized data disclosure. The plugin is designed to facilitate data synchronization between WooCommerce and Google Sheets, a common requirement for e-commerce analytics and reporting. However, the missing authorization check creates a critical security gap. Although no public exploits have been reported yet, the exposure of personally identifiable information (PII), order details, and coupon data could lead to privacy violations, financial fraud, or competitive intelligence gathering. The vulnerability was reserved in early January 2025 and published in late March 2025, but no official patches or updates have been linked yet. The absence of a CVSS score necessitates a severity assessment based on the nature of the vulnerability and its potential impact.

The primary impact of this vulnerability is unauthorized data exposure, which can compromise customer privacy and business confidentiality. Attackers exploiting this flaw could extract sensitive e-commerce data including customer identities, purchase histories, product inventories, and discount coupons. This could facilitate identity theft, targeted phishing attacks, financial fraud, or unauthorized use of coupons leading to revenue loss. Additionally, the breach of customer trust and potential regulatory penalties related to data protection laws (such as GDPR or CCPA) could cause reputational damage and legal consequences. Since WooCommerce is widely used globally, organizations relying on this plugin for data export are at risk of significant operational disruption and data leakage. The ease of exploitation is relatively high given the missing authorization, and no authentication or user interaction is required, increasing the threat surface. The scope is limited to sites using this specific plugin, but given WooCommerce's popularity, the affected population is substantial.

Until an official patch is released, organizations should take immediate steps to mitigate risk. First, restrict access to the plugin’s export functionality by limiting administrative or editor roles to trusted personnel only. Implement web application firewall (WAF) rules to detect and block suspicious export requests targeting the plugin endpoints. Monitor logs for unusual export activity or access patterns. Consider temporarily disabling the plugin if export functionality is not critical or replacing it with alternative solutions that enforce strict authorization. Keep WordPress, WooCommerce, and all plugins updated regularly and subscribe to vendor security advisories for prompt patch deployment. Conduct a thorough audit of exported data and access permissions to ensure no unauthorized data has been leaked. Finally, educate staff on the risks of unauthorized data access and enforce strong access control policies within the CMS environment.