Description
The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.
Published: 2026-01-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Plugin Settings
Action: Patch Immediately
AI Analysis

Impact

The Perfit WooCommerce plugin contains a missing authorization check on the logout function that is invoked via an admin_init hook. This flaw allows an attacker, without authentication, to provide an action parameter that triggers the deletion of any plugin setting. The vulnerability is classified as CWE‑862 and can result in loss of e‑commerce configuration, potentially disabling store features, disrupting checkout workflows, or enabling further malicious actions.

Affected Systems

All installations of the Perfit WooCommerce plugin released by perfitdev, up through version 1.0.1, are affected. The issue resides in the code managing the settings tab and impacts any site running these versions.

Risk and Exploitability

The CVSS score of 5.3 places the flaw in the moderate severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely remote via HTTP requests to the WordPress admin interface; this inference is based on the described missing authorization on the admin_init hook and the lack of authentication requirements.

Generated by OpenCVE AI on April 21, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Perfit WooCommerce plugin to the latest version (1.0.2 or newer) which removes the missing authorization check
  • Limit access to the WordPress admin area by restricting the wp-admin endpoint to trusted IP addresses or VPN connections
  • If an update cannot be applied immediately, disable or remove the plugin until a patch is available

Generated by OpenCVE AI on April 21, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Perfitdev
Perfitdev perfit Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Perfitdev
Perfitdev perfit Woocommerce
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.
Title Perfit WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Perfitdev Perfit Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:24.729Z

Reserved: 2025-12-05T22:13:26.091Z

Link: CVE-2025-14173

cve-icon Vulnrichment

Updated: 2026-01-14T19:46:22.226Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T07:16:11.997

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses