{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13314", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-17T15:01:06.519Z", "datePublished": "2025-12-12T03:20:56.597Z", "dateUpdated": "2026-04-08T17:21:49.299Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:49.299Z"}, "affected": [{"vendor": "markutos987", "product": "Filter Plus \u2013 Product Filter & WordPress Filter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "title": "Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-11T15:04:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T16:23:39.690717Z", "id": "CVE-2025-13314", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:24:27.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T16:23:39.690717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:24:23.792Z"}}], "cna": {"title": "Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "markutos987", "product": "Filter Plus \u2013 Product Filter & WordPress Filter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T15:04:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:49.299Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13314", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:49.299Z", "dateReserved": "2025-11-17T15:01:06.519Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:56.597Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "id": "CVE-2025-13314", "lastModified": "2026-04-08T19:23:22.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:40.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"created": "2025-12-12T08:47:55.043359+00:00", "updated": "2025-12-12T08:47:55.043385+00:00", "vendors": ["markutos987", "markutos987$PRODUCT$product_filtering_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}