CVE-2025-66109 identifies a missing authorization vulnerability in the Cart Weight for WooCommerce plugin developed by octolize, affecting all versions up to and including 1.9.11. This vulnerability arises from improperly configured access control mechanisms, allowing unauthenticated remote attackers to access certain plugin functionalities or data without proper permission checks. The flaw is classified as an access control weakness, which can lead to unauthorized information disclosure, though it does not allow modification of data or disruption of service. The vulnerability is exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS 3.1 base score is 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning it is remotely exploitable with low attack complexity, no privileges, no user interaction, and impacts confidentiality only. No known public exploits or active exploitation campaigns have been reported to date. The vulnerability affects WooCommerce installations that utilize the Cart Weight plugin, which is commonly used to calculate shipping costs based on cart weight, a critical function for e-commerce operations. The lack of authorization checks could allow attackers to retrieve sensitive information related to cart weight calculations or other plugin data, potentially aiding further attacks or reconnaissance. The issue was published on November 21, 2025, and no official patches or updates have been linked yet, emphasizing the need for vigilance and interim mitigations.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Cart Weight plugin, this vulnerability poses a risk of unauthorized information disclosure. While the direct impact is limited to confidentiality and does not affect data integrity or availability, the exposure of internal plugin data could facilitate further targeted attacks or fraud attempts. Given the widespread use of WooCommerce in Europe, particularly in countries with mature e-commerce markets such as Germany, the UK, France, and the Netherlands, the potential attack surface is significant. Organizations handling sensitive customer or transaction data could face reputational damage and regulatory scrutiny under GDPR if unauthorized data access occurs. Although no active exploitation is known, the ease of exploitation without authentication or user interaction increases the urgency for mitigation. The vulnerability could also be leveraged as part of a multi-stage attack chain, making it a relevant concern for security teams managing e-commerce infrastructure.

European organizations should immediately inventory their WooCommerce installations to identify the use of the Cart Weight plugin and its version. Until an official patch is released, organizations should implement strict access controls on the plugin’s endpoints, such as restricting access by IP address or requiring authentication at the web server or application firewall level. Monitoring web server logs and WooCommerce activity for unusual or unauthorized access attempts targeting the Cart Weight plugin is critical. Employing a Web Application Firewall (WAF) with custom rules to block suspicious requests related to the plugin can reduce exposure. Organizations should also engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Additionally, conducting regular security assessments and penetration tests focusing on WooCommerce plugins can help identify similar misconfigurations or vulnerabilities. Finally, educating development and operations teams about secure plugin management and access control best practices will help prevent recurrence.