CVE-2025-47634: CWE-862 Missing Authorization in Keylor Mendoza WC Pickup Store
Missing Authorization vulnerability in Keylor Mendoza WC Pickup Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WC Pickup Store: from n/a through 1.8.9.
AI Analysis
Technical Summary
CVE-2025-47634 is a security vulnerability classified under CWE-862, which refers to Missing Authorization. This vulnerability affects the WC Pickup Store plugin developed by Keylor Mendoza, specifically versions up to 1.8.9. The issue arises due to incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require any authentication or user interaction to be exploited, and it can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N). The impact primarily affects the integrity and availability of the affected system, as unauthorized actions could modify or disrupt the normal functioning of the WC Pickup Store plugin. The CVSS v3.1 base score is 6.5, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's presence in an e-commerce-related WordPress plugin (WC Pickup Store) suggests that attackers could manipulate order pickup processes, potentially leading to fraudulent orders, denial of service, or data tampering within the plugin's scope.
Potential Impact
For European organizations, especially those operating e-commerce platforms using WordPress with the WC Pickup Store plugin, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized modification of order pickup details, disruption of order fulfillment, or denial of service affecting customer experience and business operations. This could result in financial losses, reputational damage, and potential regulatory scrutiny under GDPR if customer data integrity or availability is compromised. The medium severity score reflects that while confidentiality is not directly impacted, integrity and availability concerns are significant. Organizations relying on this plugin for order management should be aware that attackers do not need credentials or user interaction, increasing the risk of automated exploitation attempts.
Mitigation Recommendations
Given the absence of an official patch at this time, European organizations should implement compensating controls immediately. These include restricting network access to the WordPress admin and plugin endpoints via IP whitelisting or VPN, employing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin, and monitoring logs for unusual activity related to order pickup operations. Administrators should audit user permissions to ensure minimal privilege principles are enforced and disable or remove the WC Pickup Store plugin if it is not essential. Additionally, organizations should subscribe to vendor and security advisories for prompt updates and apply patches as soon as they become available. Regular backups and incident response plans should be reviewed to prepare for potential exploitation scenarios.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2025-47634: CWE-862 Missing Authorization in Keylor Mendoza WC Pickup Store
Description
Missing Authorization vulnerability in Keylor Mendoza WC Pickup Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WC Pickup Store: from n/a through 1.8.9.
AI-Powered Analysis
Technical Analysis
CVE-2025-47634 is a security vulnerability classified under CWE-862, which refers to Missing Authorization. This vulnerability affects the WC Pickup Store plugin developed by Keylor Mendoza, specifically versions up to 1.8.9. The issue arises due to incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require any authentication or user interaction to be exploited, and it can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N). The impact primarily affects the integrity and availability of the affected system, as unauthorized actions could modify or disrupt the normal functioning of the WC Pickup Store plugin. The CVSS v3.1 base score is 6.5, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's presence in an e-commerce-related WordPress plugin (WC Pickup Store) suggests that attackers could manipulate order pickup processes, potentially leading to fraudulent orders, denial of service, or data tampering within the plugin's scope.
Potential Impact
For European organizations, especially those operating e-commerce platforms using WordPress with the WC Pickup Store plugin, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized modification of order pickup details, disruption of order fulfillment, or denial of service affecting customer experience and business operations. This could result in financial losses, reputational damage, and potential regulatory scrutiny under GDPR if customer data integrity or availability is compromised. The medium severity score reflects that while confidentiality is not directly impacted, integrity and availability concerns are significant. Organizations relying on this plugin for order management should be aware that attackers do not need credentials or user interaction, increasing the risk of automated exploitation attempts.
Mitigation Recommendations
Given the absence of an official patch at this time, European organizations should implement compensating controls immediately. These include restricting network access to the WordPress admin and plugin endpoints via IP whitelisting or VPN, employing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin, and monitoring logs for unusual activity related to order pickup operations. Administrators should audit user permissions to ensure minimal privilege principles are enforced and disable or remove the WC Pickup Store plugin if it is not essential. Additionally, organizations should subscribe to vendor and security advisories for prompt updates and apply patches as soon as they become available. Regular backups and incident response plans should be reviewed to prepare for potential exploitation scenarios.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-07T10:44:48.426Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6867b9f06f40f0eb72a049aa
Added to database: 7/4/2025, 11:24:32 AM
Last enriched: 7/4/2025, 11:57:09 AM
Last updated: 7/22/2025, 12:04:34 AM
Views: 10
Related Threats
CVE-2025-8353: CWE-446: UI Discrepancy for Security Feature in Devolutions Server
UnknownCVE-2025-8312: CWE-833: Deadlock in Devolutions Server
UnknownCVE-2025-54656: CWE-117 Improper Output Neutralization for Logs in Apache Software Foundation Apache Struts Extras
MediumCVE-2025-50578: n/a
CriticalCVE-2025-8292: Use after free in Google Chrome
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.