Description
The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
Published: 2025-08-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Plugin Settings by Authenticated Users
Action: Apply Patch
AI Analysis

Impact

The Ni WooCommerce Customer Product Report plugin contains a missing capability check in the ni_woocpr_action() function for all releases up to version 1.2.4. This defect allows an attacker who is logged in with a Subscriber role or higher to change the plugin’s configuration settings without proper authorization. Altered settings could affect the accuracy of customer product reports, redirect data flows, or expose sensitive operational parameters, thereby compromising the integrity of the site’s reporting functionality.

Affected Systems

Any WordPress installation that has the Ni WooCommerce Customer Product Report plugin version 1.2.4 or earlier installed, regardless of active theme or other plugins. The vendor is Anzia, and the product is the Ni WooCommerce Customer Product Report plugin.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1 %, showing that opportunistic exploitation is unlikely. It is not listed in the CISA KEV catalogue. The attack vector is inferred to be local: an authenticated user must first log into the WordPress site with at least Subscriber privileges and then submit a request to the affected endpoint. No additional exploitation prerequisites or remote code execution are documented in the official description.

Generated by OpenCVE AI on April 21, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ni WooCommerce Customer Product Report plugin to the latest version, which implements proper capability checks for the ni_woocpr_action() function.
  • If an upgrade is not immediately possible, remove the plugin or disable it for Subscriber and other low‑privilege roles using role‑based access controls or a security plugin that restricts capability access.
  • Ensure that no Subscriber or lower‑level role has the capability to modify WooCommerce plugin settings by reviewing and tightening role capabilities in WordPress or via a role‑management plugin.

Generated by OpenCVE AI on April 21, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25734 The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
History

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 Aug 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Anzia
Anzia ni Woocommerce Customer Product Report
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Anzia
Anzia ni Woocommerce Customer Product Report
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
Title Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Anzia Ni Woocommerce Customer Product Report
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:00.537Z

Reserved: 2025-07-18T18:56:49.261Z

Link: CVE-2025-7827

cve-icon Vulnrichment

Updated: 2025-08-25T17:33:29.187Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T05:15:32.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses