CVE-2025-12975 HIGH

CVE-2025-12975: CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation

Vendor Wahid0003
Product Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

The Product Feed Manager for WooCommerce plugin contains an authorization flaw that allows high-privilege users to read, modify, or delete sensitive data. An attacker with administrator or equivalent access can exploit this to access restricted functionality without proper permission checks. All versions up to 6.6.11 are affected.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data if they have high-level site access.

Potential impact on your site

04Site Impact

Privileged users can bypass authorization controls to access or alter feed data and settings.

Conditions required to exploit

05Prerequisites

Attacker must have administrator or equivalent high-privilege account on the WordPress site.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-24682 WordPress Super Block Slider plugin <= 2.7.9 - Broken Access Control vulnerability CVE-2023-4728 LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp() CVE-2024-3581 MaxGalleria <= 6.4.2 - Missing Authorization CVE-2025-9218 rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function CVE-2025-68088 WordPress Huger for Elementor plugin <= 1.1.5 - Broken Access Control vulnerability