CVE-2025-60077 identifies a missing authorization vulnerability in the YayCommerce YayPricing plugin, specifically in versions up to and including 3.5.3. The flaw arises because certain functionality within the plugin is not properly constrained by Access Control Lists (ACLs), allowing unauthenticated attackers to invoke functions that should be restricted. This means that an attacker can remotely access sensitive pricing-related features or data without needing any privileges or user interaction. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high impact on confidentiality, as attackers can potentially retrieve sensitive pricing information that could be leveraged for competitive intelligence or further attacks. The attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed, making exploitation feasible for a wide range of threat actors. Although no public exploits have been reported yet, the vulnerability’s nature suggests it could be weaponized quickly once details become widely known. The YayPricing plugin is commonly used in e-commerce platforms built on the YayCommerce ecosystem, which is popular among small to medium-sized online retailers. The lack of proper authorization checks indicates a design or implementation flaw in the plugin’s access control mechanisms, which must be addressed by the vendor. Until patches are released, organizations remain exposed to unauthorized data access risks.

For European organizations, especially those operating e-commerce platforms using YayPricing, this vulnerability poses a significant risk to the confidentiality of pricing data. Exposure of such sensitive information can lead to competitive disadvantages, loss of customer trust, and potential regulatory scrutiny under GDPR if personal or transactional data is indirectly affected. The ease of exploitation without authentication increases the likelihood of attacks, potentially by cybercriminals seeking to gather intelligence or disrupt business operations. While the vulnerability does not impact integrity or availability directly, unauthorized access to pricing functions could enable attackers to gather strategic business intelligence or prepare for more complex attacks. The impact is particularly critical for sectors where pricing strategies are closely guarded, such as retail, wholesale, and manufacturing supply chains. Additionally, reputational damage and compliance risks could arise if the vulnerability leads to data breaches or unauthorized disclosures.

Organizations should prioritize applying official patches from YayCommerce as soon as they become available to address the missing authorization checks. In the interim, administrators should restrict network access to the YayPricing plugin’s interfaces using firewalls or web application firewalls (WAFs) to limit exposure to untrusted networks. Implementing strict access control policies at the web server and application layers can help prevent unauthorized requests. Monitoring and logging access to pricing-related endpoints should be enhanced to detect anomalous or unauthorized activity promptly. Conducting a thorough review of user permissions and roles within the YayCommerce environment can reduce the risk of privilege escalation or misuse. Organizations should also consider isolating the affected plugin in segmented network zones to minimize lateral movement if exploited. Finally, engaging with the vendor for timely updates and subscribing to vulnerability advisories will ensure rapid response to emerging threats.