CVE-2025-67599 identifies a missing authorization vulnerability in the WebToffee eCommerce Marketing Automation plugin, specifically within the decorator-woocommerce-email-customizer component. This vulnerability arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions that should require proper authorization. The affected versions include all releases up to and including 2.1.1. The flaw essentially means that the plugin does not adequately verify whether a user has the necessary permissions before allowing certain operations, which could lead to unauthorized access or modification of marketing automation workflows or email customizations. Although no exploits have been reported in the wild, the vulnerability poses a significant risk because it can be exploited without authentication barriers in some configurations, depending on the deployment environment. The plugin is widely used in WooCommerce-based eCommerce sites to automate marketing tasks, including email customization, making it a valuable target for attackers aiming to manipulate marketing content or gain indirect access to customer data. The lack of a CVSS score suggests this is a newly disclosed issue, but the nature of missing authorization vulnerabilities typically implies a high risk due to potential unauthorized actions. The vulnerability was published on December 9, 2025, and assigned by Patchstack, indicating it is recognized by security researchers and awaiting or requiring patching.

For European organizations, especially those operating WooCommerce-based eCommerce platforms using the WebToffee Marketing Automation plugin, this vulnerability could lead to unauthorized access to marketing automation features. Attackers might manipulate email campaigns, alter promotional content, or inject malicious content into customer communications, potentially damaging brand reputation and customer trust. There is also a risk of indirect exposure or modification of customer data if the plugin interfaces with sensitive information. This could result in compliance issues under GDPR if personal data is compromised or mishandled. The disruption of marketing automation workflows could impact sales and customer engagement, leading to financial losses. Since WooCommerce is popular among small to medium-sized enterprises across Europe, the scope of impact could be broad. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the eCommerce infrastructure. The absence of known exploits currently provides a window for mitigation, but the risk remains significant due to the nature of missing authorization flaws.

Organizations should immediately inventory their WooCommerce installations to identify the presence of the WebToffee eCommerce Marketing Automation plugin and verify the version in use. Until an official patch is released, restrict access to the plugin’s administrative and API endpoints using web application firewalls (WAFs) or server-level access controls to limit exposure. Implement strict role-based access controls (RBAC) within WordPress to ensure only trusted administrators have permissions to manage the plugin. Monitor logs for unusual activity related to marketing automation functions or email customization features. Engage with the vendor or plugin maintainers to obtain updates or patches as soon as they become available and apply them promptly. Consider isolating the marketing automation environment or deploying additional security layers such as multi-factor authentication (MFA) for administrative access. Conduct security awareness training for staff managing eCommerce platforms to recognize potential exploitation attempts. Finally, review GDPR compliance measures to ensure data protection in case of unauthorized access.