Description
Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits users with insufficient privileges to alter the thank‑you page settings in the VillaTheme Thank You Page Customizer for WooCommerce plugin. Because the plugin lacks proper permission checks, an attacker who can access the configuration interface may modify or delete content that is normally restricted to administrators. This flaw does not provide arbitrary code execution or direct system compromise; its impact is confined to the plugin’s configuration domain.

Affected Systems

VillaTheme Thank You Page Customizer for WooCommerce versions up to and including 1.1.8 are affected. Any WordPress site that has not upgraded beyond 1.1.8 and uses this plugin is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity, and the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated user with privileges below administrator; if the plugin exposes endpoints publicly, an unauthenticated attacker could also exploit the lack of access control. The condition requires access to the plugin’s configuration interface or an endpoint that lacks proper authorization checks.

Generated by OpenCVE AI on April 29, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any available plugin update released after version 1.1.8 to obtain the vendor‑provided fix.
  • Restrict HTTP access to the plugin’s configuration pages so that only users with the ‘administrator’ role can reach them, using WordPress role‑based access controls or server‑level restrictions such as .htaccess rules.
  • Audit existing thank‑you page settings to verify that only authorized administrators can edit them, and enable logging or audit trails to detect unauthorized changes after remediation.
  • If an update is not immediately available, consider disabling the plugin until a fix is released.

Generated by OpenCVE AI on April 29, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme thank You Page Customizer For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme thank You Page Customizer For Woocommerce
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.
Title WordPress Thank You Page Customizer for WooCommerce plugin <= 1.1.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Villatheme Thank You Page Customizer For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.129Z

Reserved: 2025-12-04T04:07:13.046Z

Link: CVE-2025-66528

cve-icon Vulnrichment

Updated: 2025-12-11T19:04:16.263Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:20.023

Modified: 2026-04-27T18:16:38.230

Link: CVE-2025-66528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:00:14Z

Weaknesses