A missing authorization flaw in the Addonify Floating Cart For WooCommerce plugin enables an attacker to bypass the plugin’s access‑control checks and reach configuration pages or functionality that should be limited to administrators. The weakness is classified as CWE‑862, indicating role‑based access control is not enforced. Based on the description, it is inferred that an attacker who can authenticate as a WordPress user with limited permissions could exploit the flaw to modify the plugin’s settings or invoke features intended for higher‑privilege users.

The Addonify Floating Cart For WooCommerce plugin version 1.2.17 and earlier is affected. All installations of the plugin that rely on its default or incorrectly configured access‑level settings are susceptible, regardless of the WordPress site or hosting environment.

The vulnerability carries a CVSS score of 6.5, indicating medium severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the wild and the issue is not listed in CISA’s KEV catalog. The likely attack vector is via the plugin’s administrative interface, where a user can submit requests that the system incorrectly accepts as authorized. The risk is that an attacker could alter cart behavior or expose sensitive data associated with the shopping experience.