Description
Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1.
Published: 2025-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery that arises from missing authorization checks in the Taxonomy/Term and Role based Discounts for WooCommerce plugin. By exploiting this flaw, an attacker who can cause a logged‑in user to submit a crafted request can alter discount configuration settings, potentially leading to unintended discounts or the removal of existing ones. The weakness is classified as CWE‑862 and can directly compromise the financial integrity of the WooCommerce store.

Affected Systems

The issue affects the WordPress plugin developed by Marco Almeida | Webdados, named Taxonomy/Term and Role based Discounts for WooCommerce. All versions from the initial release up to and including 5.1 are impacted.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. The EPSS score is less than 1 %, showing low current exploitation probability, and it is not listed in the CISA KEV catalog. The likely attack vector is a CSRF where an authenticated user is tricked into sending an unauthorized request to the plugin’s settings endpoint. No public exploit is known, but the flaw permits unauthorized configuration changes that could affect store revenue and customer experience.

Generated by OpenCVE AI on May 1, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Taxonomy/Term and Role based Discounts for WooCommerce plugin to the latest version (≥5.2) to remove the vulnerability.
  • If a newer version is unavailable, disable or uninstall the plugin to eliminate the risk.
  • Restrict the plugin’s settings access by assigning the required capability only to trusted administrators or using role management to limit who can modify discount rules.

Generated by OpenCVE AI on May 1, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3826 Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through 5.1.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Naked Cat Plugins Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1. Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1. Missing Authorization vulnerability in Naked Cat Plugins Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1.
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through 5.1. Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through 5.1.
Title WordPress Taxonomy/Term and Role based Discounts for WooCommerce plugin <= 5.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:17:46.360Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24625

cve-icon Vulnrichment

Updated: 2025-01-24T18:46:42.612Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:37.897

Modified: 2026-04-28T19:29:18.710

Link: CVE-2025-24625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:00:08Z

Weaknesses