CVE-2025-24762 is a medium severity vulnerability classified under CWE-862 (Missing Authorization) affecting the TicketBAI Facturas para WooCommerce plugin developed by facturaone. This vulnerability arises from improperly configured access control mechanisms within the plugin, which is used to manage invoicing and TicketBAI compliance in WooCommerce-based e-commerce platforms. Specifically, the flaw allows users with limited privileges (requiring at least some level of authentication) to perform actions or access resources that should be restricted, due to missing or inadequate authorization checks. The vulnerability affects versions up to 3.19, though exact affected versions are not fully enumerated. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. This means the vulnerability can be exploited remotely over the network with low attack complexity, requires privileges (authenticated user), no user interaction, and impacts integrity and availability but not confidentiality. Exploitation could allow an attacker with some authenticated access to modify or disrupt invoicing data or processes, potentially causing financial discrepancies or denial of service in invoicing operations. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is critical to address in environments where TicketBAI compliance and invoicing integrity are essential, especially in WooCommerce installations handling Spanish or Basque regional tax reporting requirements.

For European organizations, particularly those operating in Spain and the Basque Country where TicketBAI compliance is mandatory, this vulnerability poses a significant risk to the integrity and availability of invoicing data. Exploitation could lead to unauthorized modifications or disruptions in invoice generation and submission, potentially resulting in regulatory non-compliance, financial losses, and operational downtime. Since WooCommerce is widely used by small and medium-sized enterprises (SMEs) across Europe for e-commerce, organizations relying on the TicketBAI Facturas plugin may face risks of invoice tampering or denial of service in their billing workflows. This could undermine trust with customers and tax authorities, and trigger audits or penalties. The requirement for authenticated access limits the attack surface to users with some level of access, but insider threats or compromised accounts could exploit this vulnerability. The lack of confidentiality impact reduces the risk of data leakage, but integrity and availability impacts remain critical for financial operations.

Organizations should immediately audit their WooCommerce installations to identify if TicketBAI Facturas para WooCommerce plugin versions up to 3.19 are in use. Until an official patch is released, administrators should restrict plugin access to only trusted users and enforce strong authentication and role-based access controls to minimize the risk of exploitation. Monitoring and logging of user actions related to invoicing should be enhanced to detect suspicious activities. Consider temporarily disabling or limiting the plugin functionality if feasible, especially in high-risk environments. Engage with the vendor (facturaone) for updates on patches or mitigations. Additionally, implement network-level protections such as Web Application Firewalls (WAFs) with rules to detect anomalous API calls or unauthorized access attempts to the plugin endpoints. Regularly review and update user privileges to ensure least privilege principles are enforced. Finally, prepare incident response plans focused on invoice integrity and availability to quickly respond to any exploitation attempts.