Description
Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce add-product-frontend-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Product Frontend for WooCommerce: from n/a through <= 1.0.8.
Published: 2025-04-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains a missing‑authorization flaw that allows an attacker to delete arbitrary content. The vulnerability is identified as CWE‑862, an Authorization weakness caused by incorrectly configured access controls. An attacker who can reach the plugin front‑end can trigger deletion requests without needing legitimate administrative privileges.

Affected Systems

The affected product is the Bytes Technolab Add Product Frontend for WooCommerce WordPress plugin. All versions from the first release (n/a) through 1.0.8 are impacted; users who run any of those versions face the deletion flaw until they upgrade.

Risk and Exploitability

The CVSS score of 8.2 rates the flaw as high impact. The EPSS score is less than 1%, indicating a low exploitation probability as of now, and it is not listed in the CISA KEV catalog. The flaw can be exploited through the public front‑end of the site; it does not require authentication, so the attack vector is likely local or remote but does not rely on privileged accounts. Because the plugin exposes a deletion endpoint without checking user capabilities, any user who can access that endpoint can delete products.

Generated by OpenCVE AI on April 30, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Add Product Frontend for WooCommerce plugin to the latest available version, where the authorization checks have been corrected.
  • Re‑evaluate user role capabilities in WordPress and confirm that only the appropriate roles (e.g., administrators or product managers) retain the capability to delete products; remove the delete capability from any other roles.
  • Audit and disable any unused plugin hooks or custom URLs that expose product deletion functionality.

Generated by OpenCVE AI on April 30, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11695 Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Product Frontend for WooCommerce: from n/a through 1.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Product Frontend for WooCommerce: from n/a through 1.0.6. Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce add-product-frontend-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Product Frontend for WooCommerce: from n/a through <= 1.0.8.
Title WordPress Add Product Frontend for WooCommerce plugin <= 1.0.6 - Arbitrary Content Deletion vulnerability WordPress Add Product Frontend for WooCommerce plugin <= 1.0.8 - Arbitrary Content Deletion vulnerability
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Product Frontend for WooCommerce: from n/a through 1.0.6.
Title WordPress Add Product Frontend for WooCommerce plugin <= 1.0.6 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.053Z

Reserved: 2025-04-09T11:20:21.866Z

Link: CVE-2025-32593

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:45.490

Modified: 2026-04-23T15:29:10.417

Link: CVE-2025-32593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses