What the vulnerability does
01Description
Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.7.
Explanation of Vulnerability in Simple Terms
02Summary
The Thank You Page Customizer for WooCommerce plugin fails to properly check user permissions before allowing access to sensitive settings. A logged-in user with low privileges can read configuration data they should not have access to. The vulnerability affects versions up to 1.1.7. Update to a version newer than 1.1.7 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive plugin configuration and settings data without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can access private plugin settings, potentially exposing store configuration or sensitive WooCommerce data.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the WordPress site with a low-privilege account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
August 14, 2025
CVE published
April 28, 2026
Record updated