Description
Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.2.
Published: 2025-07-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to access or manipulate the XML feed manager interface without proper permission checks. This flaw could enable a user to view or modify feed data, potentially exposing sensitive product information or injecting malicious entries. The weakness is identified as CWE‑862 and can lead to unauthorized data exposure and integrity compromise. The official severity is a CVSS score of 6.5, indicating a moderate impact when exploited. The EPSS score is reported as < 1%, suggesting a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the WordPress site’s authenticated session; an attacker with any user access could potentially reach the feed manager pages because the plugin lacks proper access control. If the user lacks sufficient privileges, the plugin’s missing checks create a privilege escalation risk. The impact could be system‑wide if the attacker gains administrator rights, but only the scope of the XML feed manager is directly affected.

Affected Systems

WPFactory’s Product XML Feed Manager for WooCommerce is affected, versions through 2.9.2 inclusive. Vendors: WPFactory; product: Product XML Feed Manager for WooCommerce. No specific version ranges were provided beyond <= 2.9.2, so all releases up to and including 2.9.2 are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 6.5 the risk is moderate, yet the low EPSS (<1%) suggests it is not yet actively exploited. Because the flaw results from missing authorization checks rather than a buffer overflow or code injection, it typically requires the attacker to authenticate to the WordPress backend or to access the management URLs directly. The vulnerability is not referenced in KEV, so it is not yet widely leveraged by mass exploits. The recommended approach is to treat it as a moderate‑risk issue: immediately patch if an update is available, otherwise implement access restrictions and monitor for unauthorized activity. Implementing a stricter role‑based access control on the feed manager URLs can reduce exploitation likelihood until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch (version 2.9.3 or newer).
  • If a patch is unavailable, restrict the feed manager URLs to administrator or high‑level editor roles and remove permissions for lower‑privileged users.
  • Consider disabling the plugin entirely if the XML feed functionality is not needed.

Generated by OpenCVE AI on April 30, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21610 Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.2. Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 16 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.2.
Title WordPress Product XML Feed Manager for WooCommerce <= 2.9.2 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.174Z

Reserved: 2025-03-26T09:22:20.466Z

Link: CVE-2025-30959

cve-icon Vulnrichment

Updated: 2025-07-16T13:49:09.526Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:25.293

Modified: 2026-04-23T15:27:24.307

Link: CVE-2025-30959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses