Description
Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers woocommerce-loyal-customer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce Loyal Customers: from n/a through <= 2.6.
Published: 2025-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that lets users access functionality in the WooCommerce Loyal Customers plugin that should be restricted by access control lists. Because the plugin does not properly check user permissions, an attacker could use the exposed features to bypass normal role restrictions and potentially retrieve or manipulate sensitive customer loyalty data. This flaw directly compromises confidentiality and integrity of the system’s loyalty information.

Affected Systems

The Right Software’s WooCommerce Loyal Customers plugin is affected for all releases up through version 2.6. The flaw exists on WordPress installations that have the plugin active, regardless of the specific WordPress theme or additional plugins in use.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, but the EPSS score of less than 1% suggests that at the time of this analysis exploitation is unlikely to be widespread. The plugin is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation. It is inferred that the attack vector likely involves any authenticated user—potentially even one with a low‑privileged role—who can interact with the plugin’s API or admin UI, and that an attacker could exploit the issue without requiring other vulnerabilities to be present.

Generated by OpenCVE AI on April 30, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Loyal Customers plugin to the latest version (2.7 or later) to eliminate the missing authorization checks.
  • If upgrading is not immediately possible, restrict the plugin’s administrative URLs so that only users with the administrator role can access them, for example by adding capability checks or using access‑control plugins.
  • As an additional safeguard, review the plugin’s code or settings to ensure that any functions interacting with loyalty data enforce proper role verification, and monitor site logs for unexpected access patterns.

Generated by OpenCVE AI on April 30, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11673 Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6. Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers woocommerce-loyal-customer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce Loyal Customers: from n/a through <= 2.6.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 18 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.
Title WordPress WooCommerce Loyal Customers plugin <= 2.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Woocommerce Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.058Z

Reserved: 2025-04-09T11:19:50.088Z

Link: CVE-2025-32544

cve-icon Vulnrichment

Updated: 2025-04-17T17:42:20.920Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:42.683

Modified: 2026-04-23T15:29:04.773

Link: CVE-2025-32544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses