CVE-2025-62935 identifies a missing authorization vulnerability in the ilmosys Open Close WooCommerce Store plugin, affecting versions up to 4.9.8. The vulnerability arises from incorrectly configured access control mechanisms that fail to properly verify user privileges before allowing certain actions. This flaw enables an attacker with low privileges (PR:L) to remotely exploit the plugin over the network (AV:N) without requiring user interaction (UI:N). The scope of the vulnerability is unchanged (S:U), meaning the impact is confined to the vulnerable component. Successful exploitation leads to high confidentiality and integrity impacts (C:H/I:H), allowing unauthorized access to sensitive data or unauthorized modification of store settings or data. Availability is not impacted (A:N). The vulnerability is classified as high severity with a CVSS 3.1 base score of 8.1, reflecting the ease of exploitation combined with significant potential damage. No public exploits are known yet, but the vulnerability's nature makes it a critical risk for WooCommerce stores using this plugin. The plugin is commonly used in e-commerce environments built on WordPress, making it a valuable target for attackers seeking to compromise online stores. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate risk mitigation.

For European organizations operating WooCommerce-based e-commerce platforms, this vulnerability could lead to unauthorized access to customer data, order information, and store configuration settings, resulting in data breaches and potential financial losses. The integrity of transactional data could be compromised, leading to fraudulent orders or manipulation of store operations. Confidential customer information exposure could violate GDPR and other data protection regulations, resulting in legal and reputational consequences. The absence of availability impact means the store may remain operational, potentially allowing prolonged exploitation without immediate detection. Attackers exploiting this vulnerability could gain footholds to escalate privileges or conduct further attacks within the network. Given the widespread use of WooCommerce in Europe, especially among SMEs and online retailers, the threat poses a significant risk to the e-commerce sector's security and trustworthiness.

Organizations should immediately audit their WooCommerce installations to identify the presence of the ilmosys Open Close WooCommerce Store plugin and its version. Until an official patch is released, restrict access to the plugin's administrative functionalities by limiting user roles and permissions strictly to trusted personnel. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin's endpoints. Monitor logs for unusual access patterns or unauthorized attempts to invoke plugin functions. Consider temporarily disabling the plugin if it is not critical to operations or if risk tolerance is low. Engage with the vendor or security community for updates on patches or workarounds. Additionally, ensure that all WordPress and WooCommerce components are kept up to date to reduce the attack surface. Conduct regular security assessments and penetration tests focusing on plugin vulnerabilities. Finally, prepare incident response plans to quickly address any exploitation attempts.