What the vulnerability does
01Description
Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6.
Explanation of Vulnerability in Simple Terms
02Summary
Product Import Export for WooCommerce versions up to 2.5.6 lack proper authorization checks, allowing authenticated users with low privileges to access sensitive data they should not be able to view. An attacker with a basic WooCommerce account can read information restricted to higher-privilege users. Update to a version newer than 2.5.6.
What an attacker can do
03Attacker Capabilities
Read sensitive data restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Customer or subscriber accounts can access import/export data meant only for administrators or shop managers.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WooCommerce account (e.g., customer or subscriber role).
Key dates
06Disclosure timeline
May 27, 2026
CVE published
May 27, 2026
Record updated