CVE-2025-67599 identifies a missing authorization vulnerability in the WebToffee eCommerce Marketing Automation plugin for WooCommerce, specifically in the decorator-woocommerce-email-customizer component. This vulnerability arises from incorrectly configured access control security levels, allowing users with low privileges (PR:L) to perform actions or access resources that should be restricted. The vulnerability affects all versions up to and including 2.1.1. The CVSS 3.1 base score is 4.3 (medium severity), reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no impact on integrity or availability (I:N/A:N). The flaw enables unauthorized access to certain marketing automation features or data, potentially exposing sensitive customer or marketing information. Exploitation can be performed remotely without user interaction, but requires the attacker to have some level of authenticated access, such as a low-privilege user account. No public exploits or patches are currently documented, indicating the vulnerability is newly disclosed. The issue is critical for organizations relying on this plugin for marketing automation within WooCommerce environments, as unauthorized access could lead to data leaks or manipulation of marketing campaigns.

For European organizations, especially those operating eCommerce platforms using WooCommerce and the WebToffee Marketing Automation plugin, this vulnerability poses a risk of unauthorized data exposure. Although the confidentiality impact is limited, exposure of customer or marketing data can lead to reputational damage, regulatory non-compliance (e.g., GDPR violations), and potential financial losses. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering. However, attackers exploiting this vulnerability could gain insights into marketing strategies or customer information, which could be leveraged for further attacks or competitive disadvantage. The requirement for low-level privileges means that insider threats or compromised low-privilege accounts could be used to exploit this flaw. Given the prominence of eCommerce in Europe and strict data protection regulations, even limited data exposure can have significant consequences.

Organizations should immediately inventory their WooCommerce installations to identify the presence of the WebToffee eCommerce Marketing Automation plugin and its version. Until an official patch is released, restrict access to the plugin’s functionality by limiting user roles and permissions to the minimum necessary. Conduct thorough access control reviews to ensure no excessive privileges are granted to low-level users. Monitor logs for unusual access patterns or attempts to exploit marketing automation features. Implement network segmentation to isolate eCommerce backend systems and apply web application firewalls (WAFs) to detect and block suspicious requests targeting this plugin. Once a security update or patch is available from WebToffee, apply it promptly. Additionally, educate administrators and users about the risk of privilege escalation and the importance of strong authentication controls to prevent unauthorized access. Regularly review and update security policies related to third-party plugins and extensions.