CVE-2025-49287 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WebToffee Product Feed for WooCommerce plugin, specifically versions up to 2.2.8. This vulnerability arises due to incorrect or missing access control mechanisms within the plugin, allowing users with limited privileges (PR:L - privileges required) to perform actions or access resources that should be restricted. The flaw does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). Although the vulnerability does not impact confidentiality or availability, it can lead to integrity loss (I:L) by enabling unauthorized modification or manipulation of product feed data. The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The vulnerability is rated medium severity with a CVSS 3.1 base score of 4.3. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue is significant because WooCommerce is a widely used e-commerce platform, and the WebToffee Product Feed plugin is commonly employed to generate product feeds for marketing and sales channels. Missing authorization can allow attackers or unauthorized users to alter product feed data, potentially leading to incorrect product information being distributed to third-party platforms, impacting business operations and customer trust.

For European organizations using WooCommerce with the WebToffee Product Feed plugin, this vulnerability could lead to unauthorized modification of product feed data, which may result in inaccurate product listings on external marketplaces or advertising platforms. This can cause financial losses due to incorrect pricing, product availability, or descriptions, and damage brand reputation. Additionally, manipulation of product feeds could be leveraged in supply chain attacks or to inject malicious content indirectly. Since WooCommerce is popular among small to medium-sized enterprises (SMEs) across Europe, especially in retail and e-commerce sectors, the impact could be widespread. The integrity compromise may also affect compliance with consumer protection regulations such as the EU’s Digital Services Act if misleading product information is propagated. Although the vulnerability does not directly expose sensitive customer data or cause service outages, the indirect effects on business operations and trustworthiness are notable.

European organizations should immediately audit their WooCommerce installations to identify if the WebToffee Product Feed plugin is in use and verify the version. Until an official patch is released, organizations should consider disabling the plugin or restricting access to the product feed management interfaces to trusted administrators only. Implementing strict role-based access controls (RBAC) within WordPress and WooCommerce is critical to ensure that only authorized users can modify product feeds. Monitoring and logging changes to product feed configurations can help detect unauthorized activities early. Organizations should also review their external product feed outputs for anomalies or unexpected changes. Once a patch becomes available, prompt application is essential. Additionally, organizations could consider isolating the plugin’s functionality within a segmented environment or using web application firewalls (WAFs) to limit access to the plugin endpoints. Regular security assessments and vulnerability scanning of e-commerce platforms should be part of ongoing security hygiene.