CVE-2025-66109 identifies a missing authorization vulnerability in the octolize Cart Weight for WooCommerce plugin, versions up to 1.9.11. This plugin is used to calculate and display cart weight information within WooCommerce-based e-commerce sites. The vulnerability arises from incorrectly configured access control mechanisms, allowing unauthenticated attackers to access or invoke certain plugin functionalities without proper authorization. Specifically, the flaw is due to missing or insufficient authorization checks on endpoints or functions that handle cart weight data, which could be exploited remotely over the network without requiring user interaction or privileges. The impact is limited to confidentiality, as attackers may gain access to information related to cart weight calculations or potentially other related data exposed by the plugin. There is no impact on data integrity or system availability. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium severity level. No known exploits have been reported in the wild as of the publication date (November 21, 2025). The issue affects all versions up to and including 1.9.11, with no patch links currently available, suggesting that vendors or maintainers need to release updates to address the problem. The vulnerability is particularly relevant for WooCommerce installations using this plugin, which is popular among online retailers for shipping and logistics calculations.

For European organizations, this vulnerability could expose sensitive cart-related data, potentially aiding attackers in reconnaissance or targeted attacks against e-commerce platforms. While the direct impact on confidentiality is limited, unauthorized access to cart weight information could be leveraged to infer business operations or customer purchasing behavior. This may indirectly affect customer trust and compliance with data protection regulations such as GDPR if personal or transactional data is exposed. The vulnerability does not compromise system integrity or availability, so operational disruption is unlikely. However, given the widespread use of WooCommerce in Europe, especially among small and medium-sized enterprises (SMEs) in countries with strong e-commerce sectors, the risk of exploitation could lead to reputational damage and potential regulatory scrutiny. Attackers could also use this vulnerability as a foothold for further attacks if combined with other weaknesses.

European organizations should implement the following specific mitigation steps: 1) Monitor official octolize and WooCommerce channels for patches addressing this vulnerability and apply updates promptly once available. 2) In the interim, restrict access to plugin-related endpoints by implementing web application firewall (WAF) rules that block unauthorized requests targeting cart weight functionalities. 3) Harden WooCommerce installations by limiting plugin usage to trusted sources and regularly auditing installed plugins for vulnerabilities. 4) Employ network segmentation and access controls to minimize exposure of e-commerce backend systems. 5) Enable detailed logging and monitoring of plugin-related activities to detect anomalous access patterns. 6) Educate development and operations teams about the risks of missing authorization controls and enforce secure coding and configuration practices. 7) Consider disabling or removing the Cart Weight for WooCommerce plugin if it is not essential to business operations until a secure version is available.