CVE-2025-66089 MEDIUM

CVE-2025-66089: WordPress Product Feed for WooCommerce plugin <= 2.3.1 - Broken Access Control vulnerability

Vendor Webtoffee
Product Product Feed for WooCommerce
Weakness CWE-862 · Missing authorization
Published November 21, 2025
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.1.

Explanation of Vulnerability in Simple Terms

02Summary

Product Feed for WooCommerce versions up to 2.3.1 lack proper authorization checks, allowing authenticated users with low privileges to access sensitive product feed data they should not see. An attacker with a basic user account can read feed information without proper permission validation. This affects confidentiality but not data integrity or availability.

What an attacker can do

03Attacker Capabilities

Read product feed data that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Unauthorized users can view sensitive product feed configuration and data, potentially exposing business information.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the WooCommerce site.

Key dates

06Disclosure timeline

November 21, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE