CVE-2025-60077 is a security vulnerability identified in the YayCommerce YayPricing plugin, affecting all versions up to and including 3.5.3. The core issue is a missing authorization check that allows unauthorized users to access functionality that should be protected by Access Control Lists (ACLs). This means that certain functions within the YayPricing plugin can be invoked without proper permission verification, potentially enabling attackers to perform actions reserved for authorized users. YayPricing is a plugin used in e-commerce platforms to manage pricing strategies and configurations. The absence of proper authorization controls could allow attackers to view, modify, or manipulate pricing data, which could lead to financial fraud, pricing inconsistencies, or exposure of sensitive business information. The vulnerability does not require authentication, making it easier for attackers to exploit remotely without prior access. As of the publication date, no known exploits have been reported in the wild, and no patches have been officially released. The vulnerability was reserved in late September 2025 and published in December 2025. The lack of a CVSS score indicates that the severity has not been formally assessed, but the nature of the vulnerability suggests significant risk. The vulnerability affects the confidentiality and integrity of pricing data and could disrupt availability if exploited to cause operational issues. The scope includes all installations of YayPricing up to version 3.5.3, which may be widely used in e-commerce environments.

For European organizations, the impact of CVE-2025-60077 could be substantial, particularly for those relying on YayPricing for managing online pricing strategies. Unauthorized access to pricing functions could lead to manipulation of prices, resulting in financial losses, reputational damage, and loss of customer trust. Confidential business information related to pricing models and strategies could be exposed to competitors or malicious actors. Integrity of pricing data could be compromised, causing operational disruptions and incorrect billing or discounting. The vulnerability could also be leveraged as a foothold for further attacks within the e-commerce infrastructure. Given the critical role of e-commerce in European economies, especially in countries with advanced digital retail sectors, the threat could affect a broad range of businesses from SMEs to large enterprises. Regulatory compliance risks may also arise if sensitive customer or pricing data is exposed, potentially violating GDPR and other data protection laws. The absence of known exploits provides a window for proactive mitigation, but the ease of exploitation without authentication increases urgency. Organizations with integrated supply chains and automated pricing systems are particularly vulnerable to cascading effects from this vulnerability.

To mitigate CVE-2025-60077, European organizations should immediately audit their YayPricing plugin installations to identify affected versions (up to 3.5.3). Until an official patch is released, implement compensating controls such as restricting access to the plugin's administrative interfaces via network segmentation and firewall rules, limiting access to trusted IP addresses only. Employ web application firewalls (WAFs) to detect and block unauthorized attempts to invoke restricted functions. Review and tighten user roles and permissions within the e-commerce platform to minimize exposure. Monitor logs for unusual or unauthorized access patterns related to pricing functions. Engage with YayCommerce for timely updates and apply patches as soon as they become available. Conduct penetration testing focused on authorization controls to identify any other potential weaknesses. Educate staff about the risks and signs of exploitation attempts. Consider implementing multi-factor authentication (MFA) for administrative access to reduce the risk of unauthorized use. Finally, maintain regular backups of pricing configurations and data to enable rapid recovery if manipulation occurs.