CVE-2025-64267 is a vulnerability identified in the WPSwings WooCommerce Ultimate Points And Rewards plugin, which is widely used to manage loyalty points and rewards in WooCommerce-based e-commerce stores. The flaw allows an attacker without any privileges (PR:N) to retrieve sensitive system information embedded within the plugin or its environment, potentially including configuration details or other data that should not be exposed. The attack vector is network-based (AV:N), meaning the attacker can exploit it remotely, but it requires user interaction (UI:R), such as tricking a user into clicking a malicious link or visiting a crafted page. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality to a limited extent (C:L/I:N/A:N). The plugin versions up to and including 2.10.2 are affected, with no patch currently available at the time of publication. Although no known exploits are reported in the wild, the exposure of sensitive information can facilitate further targeted attacks, such as social engineering or privilege escalation. The vulnerability was reserved and published in late 2025, with the CVSS v3.1 score calculated at 4.3, indicating a medium severity level. The lack of authentication requirements and the network attack vector increase the risk profile, but the need for user interaction and limited impact on core system functions reduce the overall criticality.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the affected plugin, this vulnerability poses a risk of sensitive information leakage. Such information could include system configuration, API keys, or internal URLs that attackers might leverage for further exploitation, such as gaining unauthorized access or conducting phishing campaigns. While the direct impact on system integrity and availability is minimal, the confidentiality breach can undermine customer trust and lead to compliance issues under regulations like GDPR if personal data or system details are indirectly exposed. The medium severity rating suggests a moderate risk, but the widespread use of WooCommerce in Europe means many small to medium enterprises could be vulnerable. Attackers could use this vulnerability as a reconnaissance tool to identify weaknesses in the e-commerce infrastructure, potentially leading to more severe attacks. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as threat actors often develop exploits following public disclosure.

Organizations should prioritize updating the WooCommerce Ultimate Points And Rewards plugin to a patched version once it becomes available from WPSwings. Until a patch is released, administrators should implement strict access controls to limit exposure of the plugin’s endpoints, such as restricting access by IP address or requiring authentication for sensitive plugin functions. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the plugin. Monitoring web server logs for unusual access patterns or repeated requests to plugin-related URLs can help identify exploitation attempts early. Additionally, educating users about the risks of clicking unknown links can reduce the likelihood of successful user interaction-based attacks. Regular security audits and vulnerability scanning focused on WordPress plugins should be conducted to detect similar issues proactively. Finally, organizations should review their data exposure policies and ensure sensitive information is not unnecessarily embedded or exposed within plugins or themes.