Description
Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2.
Published: 2025-12-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Product Loops for WooCommerce plugin that allows attackers to exploit incorrectly configured access control security levels. An attacker can gain unauthorized access to features or data that should be restricted, potentially exposing sensitive configuration settings or transaction data. The weakness is classified as CWE‑862, indicating an absence of proper authorization checks.

Affected Systems

Vendor XforWooCommerce’s Product Loops for WooCommerce plugin versions from n/a through 2.1.2 are affected. The issue is present in all releases ≤ 2.1.2 and does not apply to versions above that threshold.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the EPSS score of < 1% shows that exploitation is unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely a web‑based request to a plugin endpoint that skips authorization checks. An attacker would need access to the site’s URLs and may benefit from authentication with a user role that has sufficient privileges to interact with the plugin, but the flaw removes the expected role checks.

Generated by OpenCVE AI on April 29, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Product Loops for WooCommerce plugin to version 2.1.3 or later.
  • Verify that role‑based access controls in the plugin are correctly configured, ensuring that only authorized user roles can access premium features.
  • If an upgrade is pending, temporarily restrict plugin access to trusted administrators only until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Xforwoocommerce
Xforwoocommerce product Loops
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Xforwoocommerce
Xforwoocommerce product Loops

Tue, 30 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2.
Title WordPress Product Loops for WooCommerce plugin <= 2.1.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Xforwoocommerce Product Loops
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.761Z

Reserved: 2025-12-29T11:18:13.435Z

Link: CVE-2025-68994

cve-icon Vulnrichment

Updated: 2025-12-30T15:41:54.084Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:58.173

Modified: 2026-04-27T19:16:40.587

Link: CVE-2025-68994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses