CVE-2025-47634 is a security vulnerability classified under CWE-862, which refers to Missing Authorization. This vulnerability affects the WC Pickup Store plugin developed by Keylor Mendoza, specifically versions up to 1.8.9. The issue arises due to incorrectly configured access control security levels, allowing unauthorized users to perform actions or access resources that should be restricted. The vulnerability does not require any authentication or user interaction to be exploited, and it can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N). The impact primarily affects the integrity and availability of the affected system, as unauthorized actions could modify or disrupt the normal functioning of the WC Pickup Store plugin. The CVSS v3.1 base score is 6.5, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's presence in an e-commerce-related WordPress plugin (WC Pickup Store) suggests that attackers could manipulate order pickup processes, potentially leading to fraudulent orders, denial of service, or data tampering within the plugin's scope.

For European organizations, especially those operating e-commerce platforms using WordPress with the WC Pickup Store plugin, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized modification of order pickup details, disruption of order fulfillment, or denial of service affecting customer experience and business operations. This could result in financial losses, reputational damage, and potential regulatory scrutiny under GDPR if customer data integrity or availability is compromised. The medium severity score reflects that while confidentiality is not directly impacted, integrity and availability concerns are significant. Organizations relying on this plugin for order management should be aware that attackers do not need credentials or user interaction, increasing the risk of automated exploitation attempts.

Given the absence of an official patch at this time, European organizations should implement compensating controls immediately. These include restricting network access to the WordPress admin and plugin endpoints via IP whitelisting or VPN, employing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin, and monitoring logs for unusual activity related to order pickup operations. Administrators should audit user permissions to ensure minimal privilege principles are enforced and disable or remove the WC Pickup Store plugin if it is not essential. Additionally, organizations should subscribe to vendor and security advisories for prompt updates and apply patches as soon as they become available. Regular backups and incident response plans should be reviewed to prepare for potential exploitation scenarios.