Description
Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Themeisle PPOM for WooCommerce plugin that allows exploitation of incorrectly configured access control security settings. The weakness, classed as CWE-862, indicates the plugin does not properly enforce role‑based restrictions, potentially permitting unauthorized actions that it should restrict.

Affected Systems

WordPress sites that have the Themeisle PPOM for WooCommerce plugin installed, any version up to and including 33.0.16.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as moderate severity, while the EPSS score below 1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves the plugin’s web interface or API, requiring authenticated access to the WordPress site that can interact with the plugin or its configuration pages.

Generated by OpenCVE AI on April 29, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PPOM for WooCommerce to a version newer than 33.0.16.
  • If an upgrade is not immediately possible, disable or remove the plugin on production sites to eliminate the security gap.
  • Restrict access to the plugin’s configuration pages by ensuring only administrators have the capability to modify addon settings.

Generated by OpenCVE AI on April 29, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle ppom For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle ppom For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16.
Title WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themeisle Ppom For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:15.729Z

Reserved: 2025-11-21T11:20:46.955Z

Link: CVE-2025-66069

cve-icon Vulnrichment

Updated: 2025-11-21T16:40:47.245Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:47.943

Modified: 2026-04-27T18:16:33.050

Link: CVE-2025-66069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:15:23Z

Weaknesses