CVE-2025-49287: CWE-862 Missing Authorization in WebToffee Product Feed for WooCommerce
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.
AI Analysis
Technical Summary
CVE-2025-49287 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WebToffee Product Feed for WooCommerce plugin, specifically versions up to 2.2.8. This vulnerability arises due to incorrect or missing access control mechanisms within the plugin, allowing users with limited privileges (PR:L - privileges required) to perform actions or access resources that should be restricted. The flaw does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). Although the vulnerability does not impact confidentiality or availability, it can lead to integrity loss (I:L) by enabling unauthorized modification or manipulation of product feed data. The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The vulnerability is rated medium severity with a CVSS 3.1 base score of 4.3. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue is significant because WooCommerce is a widely used e-commerce platform, and the WebToffee Product Feed plugin is commonly employed to generate product feeds for marketing and sales channels. Missing authorization can allow attackers or unauthorized users to alter product feed data, potentially leading to incorrect product information being distributed to third-party platforms, impacting business operations and customer trust.
Potential Impact
For European organizations using WooCommerce with the WebToffee Product Feed plugin, this vulnerability could lead to unauthorized modification of product feed data, which may result in inaccurate product listings on external marketplaces or advertising platforms. This can cause financial losses due to incorrect pricing, product availability, or descriptions, and damage brand reputation. Additionally, manipulation of product feeds could be leveraged in supply chain attacks or to inject malicious content indirectly. Since WooCommerce is popular among small to medium-sized enterprises (SMEs) across Europe, especially in retail and e-commerce sectors, the impact could be widespread. The integrity compromise may also affect compliance with consumer protection regulations such as the EU’s Digital Services Act if misleading product information is propagated. Although the vulnerability does not directly expose sensitive customer data or cause service outages, the indirect effects on business operations and trustworthiness are notable.
Mitigation Recommendations
European organizations should immediately audit their WooCommerce installations to identify if the WebToffee Product Feed plugin is in use and verify the version. Until an official patch is released, organizations should consider disabling the plugin or restricting access to the product feed management interfaces to trusted administrators only. Implementing strict role-based access controls (RBAC) within WordPress and WooCommerce is critical to ensure that only authorized users can modify product feeds. Monitoring and logging changes to product feed configurations can help detect unauthorized activities early. Organizations should also review their external product feed outputs for anomalies or unexpected changes. Once a patch becomes available, prompt application is essential. Additionally, organizations could consider isolating the plugin’s functionality within a segmented environment or using web application firewalls (WAFs) to limit access to the plugin endpoints. Regular security assessments and vulnerability scanning of e-commerce platforms should be part of ongoing security hygiene.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-49287: CWE-862 Missing Authorization in WebToffee Product Feed for WooCommerce
Description
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.
AI-Powered Analysis
Technical Analysis
CVE-2025-49287 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the WebToffee Product Feed for WooCommerce plugin, specifically versions up to 2.2.8. This vulnerability arises due to incorrect or missing access control mechanisms within the plugin, allowing users with limited privileges (PR:L - privileges required) to perform actions or access resources that should be restricted. The flaw does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). Although the vulnerability does not impact confidentiality or availability, it can lead to integrity loss (I:L) by enabling unauthorized modification or manipulation of product feed data. The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The vulnerability is rated medium severity with a CVSS 3.1 base score of 4.3. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue is significant because WooCommerce is a widely used e-commerce platform, and the WebToffee Product Feed plugin is commonly employed to generate product feeds for marketing and sales channels. Missing authorization can allow attackers or unauthorized users to alter product feed data, potentially leading to incorrect product information being distributed to third-party platforms, impacting business operations and customer trust.
Potential Impact
For European organizations using WooCommerce with the WebToffee Product Feed plugin, this vulnerability could lead to unauthorized modification of product feed data, which may result in inaccurate product listings on external marketplaces or advertising platforms. This can cause financial losses due to incorrect pricing, product availability, or descriptions, and damage brand reputation. Additionally, manipulation of product feeds could be leveraged in supply chain attacks or to inject malicious content indirectly. Since WooCommerce is popular among small to medium-sized enterprises (SMEs) across Europe, especially in retail and e-commerce sectors, the impact could be widespread. The integrity compromise may also affect compliance with consumer protection regulations such as the EU’s Digital Services Act if misleading product information is propagated. Although the vulnerability does not directly expose sensitive customer data or cause service outages, the indirect effects on business operations and trustworthiness are notable.
Mitigation Recommendations
European organizations should immediately audit their WooCommerce installations to identify if the WebToffee Product Feed plugin is in use and verify the version. Until an official patch is released, organizations should consider disabling the plugin or restricting access to the product feed management interfaces to trusted administrators only. Implementing strict role-based access controls (RBAC) within WordPress and WooCommerce is critical to ensure that only authorized users can modify product feeds. Monitoring and logging changes to product feed configurations can help detect unauthorized activities early. Organizations should also review their external product feed outputs for anomalies or unexpected changes. Once a patch becomes available, prompt application is essential. Additionally, organizations could consider isolating the plugin’s functionality within a segmented environment or using web application firewalls (WAFs) to limit access to the plugin endpoints. Regular security assessments and vulnerability scanning of e-commerce platforms should be part of ongoing security hygiene.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T09:41:43.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842ede071f4d251b5c88105
Added to database: 6/6/2025, 1:32:16 PM
Last enriched: 7/7/2025, 9:25:27 PM
Last updated: 8/3/2025, 6:18:09 AM
Views: 13
Related Threats
CVE-2025-8940: Buffer Overflow in Tenda AC20
HighCVE-2025-8939: Buffer Overflow in Tenda AC20
HighCVE-2025-50518: n/a
HighCVE-2025-8989: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.