Skip to main content

CVE-2025-49287: CWE-862 Missing Authorization in WebToffee Product Feed for WooCommerce

Medium
VulnerabilityCVE-2025-49287cvecve-2025-49287cwe-862
Published: Fri Jun 06 2025 (06/06/2025, 12:53:43 UTC)
Source: CVE Database V5
Vendor/Project: WebToffee
Product: Product Feed for WooCommerce

Description

Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.

AI-Powered Analysis

AILast updated: 07/07/2025, 21:25:27 UTC

Technical Analysis

CVE-2025-49287 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WebToffee Product Feed for WooCommerce plugin, specifically versions up to 2.2.8. This vulnerability arises due to incorrect or missing access control mechanisms within the plugin, allowing users with limited privileges (PR:L - privileges required) to perform actions or access resources that should be restricted. The flaw does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). Although the vulnerability does not impact confidentiality or availability, it can lead to integrity loss (I:L) by enabling unauthorized modification or manipulation of product feed data. The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The vulnerability is rated medium severity with a CVSS 3.1 base score of 4.3. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue is significant because WooCommerce is a widely used e-commerce platform, and the WebToffee Product Feed plugin is commonly employed to generate product feeds for marketing and sales channels. Missing authorization can allow attackers or unauthorized users to alter product feed data, potentially leading to incorrect product information being distributed to third-party platforms, impacting business operations and customer trust.

Potential Impact

For European organizations using WooCommerce with the WebToffee Product Feed plugin, this vulnerability could lead to unauthorized modification of product feed data, which may result in inaccurate product listings on external marketplaces or advertising platforms. This can cause financial losses due to incorrect pricing, product availability, or descriptions, and damage brand reputation. Additionally, manipulation of product feeds could be leveraged in supply chain attacks or to inject malicious content indirectly. Since WooCommerce is popular among small to medium-sized enterprises (SMEs) across Europe, especially in retail and e-commerce sectors, the impact could be widespread. The integrity compromise may also affect compliance with consumer protection regulations such as the EU’s Digital Services Act if misleading product information is propagated. Although the vulnerability does not directly expose sensitive customer data or cause service outages, the indirect effects on business operations and trustworthiness are notable.

Mitigation Recommendations

European organizations should immediately audit their WooCommerce installations to identify if the WebToffee Product Feed plugin is in use and verify the version. Until an official patch is released, organizations should consider disabling the plugin or restricting access to the product feed management interfaces to trusted administrators only. Implementing strict role-based access controls (RBAC) within WordPress and WooCommerce is critical to ensure that only authorized users can modify product feeds. Monitoring and logging changes to product feed configurations can help detect unauthorized activities early. Organizations should also review their external product feed outputs for anomalies or unexpected changes. Once a patch becomes available, prompt application is essential. Additionally, organizations could consider isolating the plugin’s functionality within a segmented environment or using web application firewalls (WAFs) to limit access to the plugin endpoints. Regular security assessments and vulnerability scanning of e-commerce platforms should be part of ongoing security hygiene.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-04T09:41:43.867Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842ede071f4d251b5c88105

Added to database: 6/6/2025, 1:32:16 PM

Last enriched: 7/7/2025, 9:25:27 PM

Last updated: 8/3/2025, 6:18:09 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats