Description
The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to.
Published: 2025-11-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Private Product Disclosure
Action: Update Plugin
AI Analysis

Impact

The Quick View for WooCommerce plugin is vulnerable to information exposure, allowing attackers who are not authenticated to retrieve details about private products. The flaw resides in the wqv_popup_content AJAX endpoint, which does not restrict visibility of private products. Affected data can include product titles, descriptions, prices, and any other metadata exposed through the endpoint, leading to unwanted disclosure of sensitive e‑commerce information.

Affected Systems

The vulnerability affects the Quick View for WooCommerce plugin developed by shapedplugin. All plugin versions up to and including 2.2.17 are impacted. Versions newer than 2.2.17 are not reported as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score of less than 1% suggests a low probability of exploitation. The issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated requests to the wqv_popup_content endpoint, which returns private product data without enforcing access control.

Generated by OpenCVE AI on April 22, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quick View for WooCommerce to the latest version (greater than 2.2.17).
  • If an upgrade is not immediately possible, disable the wqv_popup_content AJAX endpoint or restrict its access to authenticated users only.
  • Ensure product visibility settings are correctly configured so that private products remain hidden from public queries.

Generated by OpenCVE AI on April 22, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Shapedplugin
Shapedplugin quick View
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Shapedplugin
Shapedplugin quick View
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to.
Title Quick View for WooCommerce <= 2.2.17 - Unauthenticated Private Product Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Shapedplugin Quick View
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:36.134Z

Reserved: 2025-10-31T21:58:43.201Z

Link: CVE-2025-12584

cve-icon Vulnrichment

Updated: 2025-12-03T20:53:12.307Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T10:15:50.760

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses