CVE-2025-24625 identifies a missing authorization vulnerability in the 'Taxonomy/Term and Role based Discounts for WooCommerce' plugin, which is used to apply discounts based on taxonomy terms and user roles within WooCommerce stores. The vulnerability arises from incorrectly configured access control mechanisms that fail to properly verify whether a user has the necessary permissions to modify discount settings. This flaw allows an attacker, potentially with limited privileges, to bypass authorization checks and manipulate discount configurations, such as creating, modifying, or deleting discounts. The affected versions include all releases up to and including version 5.1. No CVSS score has been assigned yet, and no official patches or fixes have been published at the time of this report. The vulnerability does not require user interaction but may require the attacker to have some level of access to the WooCommerce administrative interface or the ability to send crafted requests to the plugin endpoints. Exploiting this vulnerability could lead to unauthorized financial discounts, undermining business revenue, causing financial loss, and damaging customer trust. The plugin is widely used in WooCommerce environments, which power a significant portion of global e-commerce websites, making this a critical concern for online retailers relying on this plugin for discount management.

The primary impact of this vulnerability is financial loss due to unauthorized discount manipulation. Attackers exploiting this flaw can grant themselves or others discounts without proper authorization, potentially leading to significant revenue leakage. Additionally, the integrity of pricing and discount policies is compromised, which can erode customer trust and damage brand reputation. For organizations, this could also result in accounting discrepancies and increased fraud risk. Since WooCommerce is a popular e-commerce platform globally, the scope of affected systems is broad, encompassing small to large online retailers. The vulnerability could also be leveraged as part of larger fraud schemes or combined with other attacks to escalate privileges or disrupt business operations. Although no known exploits are currently reported in the wild, the ease of exploitation due to missing authorization controls makes this a high-risk vulnerability that should be addressed promptly.

1. Immediately audit and restrict access permissions to the WooCommerce administrative interface, ensuring only trusted personnel have rights to modify discount settings. 2. Implement strict role-based access controls (RBAC) within WooCommerce and the plugin configuration to enforce least privilege principles. 3. Monitor logs and audit trails for unusual discount creation or modification activities to detect potential exploitation attempts early. 4. If possible, temporarily disable the 'Taxonomy/Term and Role based Discounts for WooCommerce' plugin until a patch or update is available. 5. Engage with the plugin vendor or community to obtain or request a security patch addressing the missing authorization issue. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting discount management endpoints. 7. Educate administrators and staff about the risk and signs of unauthorized discount manipulations. 8. Regularly update WooCommerce and all plugins to their latest versions to benefit from security improvements and fixes.