CVE-2025-58835 is a medium-severity vulnerability identified in the WordPress plugin 'Bonus for Woo' developed by calliko. The vulnerability is categorized under CWE-1284, which pertains to improper validation of specified quantity in input. Specifically, this flaw allows unauthorized users to access functionality that should be restricted by Access Control Lists (ACLs). The vulnerability affects versions up to 7.4.1 of the Bonus for Woo plugin. The CVSS v3.1 base score is 5.3, indicating a medium level of severity. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reveals that the vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, but it only impacts the integrity of the system, not confidentiality or availability. The core issue is that the plugin does not properly validate the quantity input parameter, which can be manipulated to bypass ACL restrictions and access or invoke functionality that should be off-limits to unauthorized users. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of unauthorized modification or manipulation of plugin-related data or operations. Given that Bonus for Woo is an add-on for WooCommerce, a widely used e-commerce platform on WordPress, exploitation could lead to unauthorized changes in promotional bonuses or discounts, potentially impacting business logic and customer transactions.

For European organizations using WooCommerce with the Bonus for Woo plugin, this vulnerability could lead to unauthorized manipulation of promotional offers or bonus configurations. This may result in financial losses due to fraudulent discounts or unauthorized benefits being granted. Additionally, the integrity compromise could erode customer trust and damage brand reputation. Since the vulnerability does not affect confidentiality or availability directly, data breaches or service outages are less likely. However, the unauthorized access to functionality could be leveraged as a foothold for further attacks or fraud schemes. E-commerce businesses in Europe, especially SMEs relying on WooCommerce plugins for marketing and sales incentives, are at risk. Regulatory compliance under GDPR may also be indirectly impacted if customer transaction data integrity is compromised. The lack of required privileges or user interaction for exploitation increases the risk profile, as attackers can remotely exploit the vulnerability without authentication.

European organizations should immediately audit their WooCommerce installations to identify the presence and version of the Bonus for Woo plugin. If the plugin version is 7.4.1 or earlier, organizations should seek updates or patches from the vendor as soon as they become available. In the absence of official patches, temporarily disabling the Bonus for Woo plugin or restricting its access via web application firewalls (WAF) or plugin-specific access controls can mitigate risk. Implementing strict input validation and ACL enforcement at the application level can also reduce exposure. Monitoring logs for unusual activity related to bonus or discount configurations is recommended to detect potential exploitation attempts. Organizations should also review their e-commerce promotional workflows to identify any anomalies or unauthorized changes. Finally, maintaining regular backups and having an incident response plan tailored to e-commerce fraud scenarios will aid in recovery if exploitation occurs.