What the vulnerability does
01Description
The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
Explanation of Vulnerability in Simple Terms
02Summary
The Ni WooCommerce Customer Product Report plugin for WordPress does not properly check user permissions before allowing modifications to report data. A logged-in user with low privileges can alter reports they should not have access to. The vulnerability affects versions up to 1.2.4. Update to a version newer than 1.2.4 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify or tamper with customer product reports without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter report data, compromising the integrity of customer analytics and business intelligence.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the WordPress site with a low-privilege account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
August 23, 2025
CVE published
April 8, 2026
Record updated