Missing authorization in Xfinitysoft Order Limit for WooCommerce allows attackers to bypass access controls and potentially alter order limits or perform other unauthorized actions within a WooCommerce store. The vulnerability arises from incorrectly configured security levels, enabling users or attackers without proper privileges to manipulate plugin settings that control how many orders a customer can place. This could compromise the integrity of the ordering process, disrupt business rules, and expose the store to incorrectly processed or fraudulent orders.

Vulnerable systems include the Xfinitysoft Order Limit for WooCommerce plugin on WordPress installations, versions up through and including 3.0.2. Any site running this plugin without a newer release inherits the broken access control flaw.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, exploiting the plugin's exposed administrative or configuration endpoints; an attacker may need authenticated access but the absence of proper authorization checks allows compromised or privileged users to identify or create malicious settings, thereby affecting the store’s operational integrity.