A missing authorization check in the WooCommerce Bulk Product Editor plugin allows an attacker with administrative interface access to perform privileged operations on product records. An attacker who can reach the plugin’s administrative pages may add, edit or delete products without proper permission verification, thereby compromising the integrity of store inventory. The flaw is a classic broken access control vulnerability (CWE‑862) that can directly alter product information, pricing, and availability, potentially leading to financial loss or erosion of customer trust.

The issue affects the WooCommerce Bulk Product Editor plugin developed by vanquish and applies to all releases up to and including version 3.0. Users running any of these versions are vulnerable.

The CVSS score of 7.1 indicates a high severity level. The EPSS score of less than 1 % shows that the probability of exploitation is currently very low, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector requires access to the WordPress admin area, and the attacker must authenticate with a role that the plugin incorrectly trusts as having full product management rights. This means an attacker who can log in as an editor or developer, or who exploits a separate authentication weakness, can exploit the access‑control flaw. The risk is elevated for sites that expose the plugin’s administrative pages to untrusted users or that have weak role configurations.