Description
Missing Authorization vulnerability in cscode WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily innovs-woo-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through <= 1.2.4.5.
Published: 2025-06-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing authorization in the WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily plugin, allowing attackers to bypass intended access controls. This flaw is identified as a CWE-862 missing authorization weakness, and it can enable an attacker to interact with administrative settings or cart customization features without the appropriate user privileges. The potential impact is the unauthorized modification of cart behavior and checkout fields, which could affect order processing and customer data integrity.

Affected Systems

The affected system is the WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily plugin, distributed by cscode. All versions from the earliest release through 1.2.4.5 are impacted. No other vendor or product is listed.

Risk and Exploitability

The CVSS base score is 5.4, indicating medium severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the general population. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector involves accessing plugin configuration or cart-related interfaces that are normally restricted to privileged users, and the attacker would need access to the site interface or API where the plugin functionality is exposed.

Generated by OpenCVE AI on April 30, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any available plugin update that addresses the missing authorization flaw; if no update exists, remove or disable the plugin until a fix is released.
  • Restrict access to the plugin’s administrative features by ensuring only administrator roles can access its configuration page, and confirm that guest and lower‑privileged roles are blocked from these functions.
  • Monitor access logs for unexpected or repeated attempts to reach the plugin’s configuration or cart modification endpoints, and block offending IPs or users if suspicious activity is detected.

Generated by OpenCVE AI on April 30, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18899 Missing Authorization vulnerability in cscode WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through 1.2.4.5.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in cscode WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily innovs-woo-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through <= 1.2.4.5. Missing Authorization vulnerability in cscode WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily innovs-woo-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through <= 1.2.4.5.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in cscode WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through 1.2.4.5. Missing Authorization vulnerability in cscode WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily innovs-woo-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through <= 1.2.4.5.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 23 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in cscode WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Manager &#8211; Customize and Control Cart page, Add to Cart button, Checkout fields easily: from n/a through 1.2.4.5.
Title WordPress WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily plugin <= 1.2.4.5 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:24:46.334Z

Reserved: 2025-06-11T16:08:11.573Z

Link: CVE-2025-50008

cve-icon Vulnrichment

Updated: 2025-06-23T15:31:26.638Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:26.210

Modified: 2026-06-17T09:34:28.750

Link: CVE-2025-50008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses