The Amazon Products to WooCommerce plugin contains a missing capability check in the wcta2w_get_amazon_product_callback() function. This omission permits unauthenticated attackers to invoke the callback and create new WooCommerce products without proper authorization. The vulnerability could be abused to inject unwanted products into a store, potentially leading to defacement, misinformation, or redirecting traffic to malicious content. The attack consumes only the ability to send an HTTP request to the plugin’s callback endpoint, with no need for elevated privileges or complex setup.

WordPress sites running the Amazon Products to WooCommerce plugin version 1.2.7 or earlier are affected. The plugin is developed by the vendor suhailahmad64 and is distributed through the WordPress plugin repository. Any installation of the plugin prior to version 1.2.8 is vulnerable.

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by sending a crafted request to the exposed callback endpoint; no additional authentication is required, so the vector is likely web-based and publicly reachable. Although the risk remains moderate, the lack of authorization makes the flaw significant enough to warrant prompt remediation.