Description
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
Published: 2025-11-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Information Exposure
Action: Patch Plugin
AI Analysis

Impact

The vulnerability resides in the ajax_pmw_get_product_ids() function of the Pixel Manager for WooCommerce plugin. It allows an attacker lacking authentication to retrieve product identifiers for items that are password protected, private, or marked as draft. This leads to unintended disclosure of potentially sensitive product data, violating confidentiality. The weakness is classified as CWE-200, indicating an information exposure flaw.

Affected Systems

All installations of Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing with versions up to and including 1.49.2 on WordPress sites are affected. No further version specifications are available; therefore any instance using 1.49.2 or older is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of <1% suggests a low likelihood of exploitation in the wild. The plugin is not listed in CISA KEV, meaning the vulnerability has not yet been reported as actively exploited. The attack vector is unauthenticated, and an attacker can trigger the exposed AJAX endpoint to gather sensitive product information without needing any credentials.

Generated by OpenCVE AI on April 21, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pixel Manager for WooCommerce to a version newer than 1.49.2 so that the ajax_pmw_get_product_ids() function properly restricts product visibility.
  • Ensure WordPress user roles and permissions are configured so that anonymous or unauthenticated users cannot access private or draft content, thereby reducing the impact of the exposed endpoint.
  • Apply or configure a security plugin or firewall rule that authenticates or blocks unauthenticated requests to the ajax_pmw_get_product_ids endpoint, adding an extra layer of access control to mitigate the information exposure.

Generated by OpenCVE AI on April 21, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Alekv
Alekv pixel Manager For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Alekv
Alekv pixel Manager For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
Description The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
Title Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Alekv Pixel Manager For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:17.622Z

Reserved: 2025-10-31T11:20:54.685Z

Link: CVE-2025-12545

cve-icon Vulnrichment

Updated: 2025-11-18T14:27:23.647Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T15:16:26.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses