CVE-2025-49998 MEDIUM

CVE-2025-49998: WordPress WooCommerce Fortnox Integration plugin <= 4.5.5 - Broken Access Control Vulnerability

Vendor Wetail
Product WooCommerce Fortnox Integration
Weakness CWE-862 · Missing authorization
Published June 20, 2025
Last update April 28, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Wetail WooCommerce Fortnox Integration woocommerce-fortnox-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Fortnox Integration: from n/a through <= 4.5.5.

Explanation of Vulnerability in Simple Terms

02Summary

The WooCommerce Fortnox Integration plugin through version 4.5.5 lacks proper authorization checks on certain functions. A logged-in user with low privileges can modify or disrupt data integrity and availability without proper permission validation. The vulnerability requires valid site access but does not expose sensitive information.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify or disrupt site data and functionality without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users may alter WooCommerce or Fortnox integration settings, causing data corruption or service disruption.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

June 20, 2025 CVE published
April 28, 2026 Record updated