CVE-2025-47602 is a Missing Authorization vulnerability classified under CWE-862 affecting the WordPress plugin 'Calculate Prices based on Distance For WooCommerce' developed by ammarahmad786. This plugin is designed to calculate shipping or product prices based on the distance between locations, integrated into WooCommerce, a widely used e-commerce platform. The vulnerability arises due to improperly configured access control mechanisms, allowing users with limited privileges (PR:L - privileges required: low) to perform actions or access functionality that should be restricted. Specifically, the flaw allows an attacker with some authenticated access but limited permissions to exploit the plugin's functionality without proper authorization checks. The CVSS v3.1 base score is 5.4, indicating a medium severity level. The vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) shows that the attack can be performed remotely over the network without user interaction, requires low privileges, and impacts integrity and availability but not confidentiality. The vulnerability affects all versions up to 1.3.5, with no patch currently available. No known exploits are reported in the wild yet. The issue is significant because WooCommerce is a popular e-commerce solution, and plugins that handle pricing and shipping calculations are critical for business operations. Unauthorized manipulation could lead to incorrect pricing, financial losses, or denial of service due to disrupted availability of pricing functions.

For European organizations running WooCommerce stores with the vulnerable 'Calculate Prices based on Distance' plugin, this vulnerability could lead to unauthorized modification of pricing calculations or disruption of shipping cost computations. This can cause financial discrepancies, loss of customer trust, and operational disruptions. Since the vulnerability allows low-privilege authenticated users to exploit it, insider threats or compromised low-level accounts could be leveraged to manipulate prices or cause denial of service. This is particularly impactful for SMEs and large retailers relying on accurate distance-based pricing for logistics and customer billing. Additionally, incorrect pricing could lead to regulatory compliance issues under EU consumer protection laws, potentially resulting in fines or reputational damage. The availability impact could disrupt order processing and fulfillment, affecting customer satisfaction and revenue. Although confidentiality is not directly impacted, the integrity and availability concerns are significant for business continuity and trust.

1. Immediate mitigation should include restricting plugin access to only trusted and necessary user roles, minimizing the number of users with any privileges that could exploit this vulnerability. 2. Monitor and audit user activities related to the plugin to detect any unauthorized attempts to manipulate pricing or shipping calculations. 3. Disable or uninstall the plugin if it is not essential until a patch is released. 4. For organizations that must continue using the plugin, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the plugin's endpoints. 5. Engage with the plugin developer or vendor to obtain updates or patches as soon as they become available. 6. Review and harden WooCommerce and WordPress user role permissions to ensure the principle of least privilege is enforced. 7. Conduct penetration testing focused on access control mechanisms within WooCommerce plugins to identify similar vulnerabilities proactively. 8. Educate administrators and users about the risks of privilege escalation and the importance of strong authentication and account management.