CVE-2025-5813 identifies a missing authorization vulnerability (CWE-862) in the Amazon Products to WooCommerce plugin for WordPress, specifically in the wcta2w_get_amazon_product_callback() function. This function lacks proper capability checks, allowing unauthenticated attackers to invoke it and create new products in the WooCommerce store. The vulnerability affects all versions up to and including 1.2.7. Because the function does not verify user privileges, attackers can manipulate the store's product catalog without authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with an impact limited to integrity (I:L) and no effect on confidentiality or availability. No patches or fixes have been published at the time of disclosure, and no known exploits are currently in the wild. The flaw could be leveraged to inject unauthorized products, potentially misleading customers, disrupting business operations, or facilitating further attacks such as phishing or malware distribution via malicious product listings. The vulnerability is classified as medium severity with a CVSS v3.1 score of 5.3.

The primary impact of CVE-2025-5813 is unauthorized modification of e-commerce product data, which undermines the integrity of affected WooCommerce stores. Attackers can create fraudulent or malicious product listings, potentially damaging brand reputation, misleading customers, or enabling scams. While confidentiality and availability are not directly affected, the integrity compromise can lead to financial losses, customer trust erosion, and operational disruptions. Additionally, attackers might use the unauthorized product creation capability as a foothold for further attacks, such as injecting malicious scripts or redirecting customers to phishing sites. Organizations relying on this plugin for their online storefronts are at risk of data manipulation and reputational harm. The vulnerability's ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially on stores with high traffic or valuable product catalogs.

To mitigate CVE-2025-5813, organizations should immediately update the Amazon Products to WooCommerce plugin once an official patch is released. Until then, implement the following specific measures: 1) Restrict access to the vulnerable callback function by applying custom code to enforce capability checks, ensuring only authorized users can invoke it. 2) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious requests targeting the vulnerable endpoint. 3) Monitor WooCommerce product creation logs for unusual or unauthorized additions and set up alerts for anomalies. 4) Limit plugin usage to trusted administrators and disable or remove the plugin if it is not essential. 5) Conduct regular security audits of WordPress plugins and maintain an inventory to quickly identify vulnerable components. 6) Educate site administrators on the risks of unauthorized product modifications and encourage prompt reporting of suspicious activity. These steps go beyond generic advice by focusing on immediate access control and monitoring strategies to reduce exploitation risk before patches are available.