Description
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter.
Published: 2025-12-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of WooCommerce Product Categories
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from a missing capability check in the RemoveItems AJAX action of the Eyewear prescription form plugin. Because the plugin fails to verify user permissions, any unauthenticated user can submit a request with the 'catIds' parameter and delete arbitrary WooCommerce product categories, including all of their child categories. The underlying weakness is a classic missing authorization flaw, classified as CWE-862.

Affected Systems

WordPress sites that have installed the Dugudlabs Eyewear prescription form plugin, versions up to and including 6.0.1. The flaw specifically targets environments that also run WooCommerce, since the deletion payload directly manipulates WooCommerce product categories. No specific patch version is listed in the data, but the issue applies universally to all versions up to 6.0.1.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact when the flaw is exploited, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of this analysis. The vulnerability is not currently listed in the CISA KEV catalog, which reduces the likelihood of a widespread public exploit. Nonetheless, the attack vector is straightforward: an unauthenticated HTTP request to the RemoveItems AJAX endpoint with a crafted 'catIds' argument. An attacker only needs access to the WordPress site and no privileged credentials to delete product categories.

Generated by OpenCVE AI on April 20, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eyewear prescription form plugin to the latest released version that includes the missing authorization check.
  • If an immediate upgrade is not possible, modify the plugin’s RemoveItems AJAX handler to require proper user capability checks or authentication before allowing category deletions.
  • Restrict the AJAX endpoint to authenticated users or specific roles, for example by adding a capability requirement such as 'manage_woocommerce' to the request handler.
  • Monitor WordPress logs for unexpected category deletion events or implement a security plugin that alerts on bulk category removal requests.

Generated by OpenCVE AI on April 20, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter.
Title Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:48.344Z

Reserved: 2025-12-09T18:23:53.612Z

Link: CVE-2025-14365

cve-icon Vulnrichment

Updated: 2025-12-15T15:24:59.325Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:48.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses