CVE-2025-14173

MEDIUM5.3

Perfit WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion

Published Jan 14, 2026

Modified 2 days ago

No fix available

Details

The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the logout function called via the actions function hooked to admin_init. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the action parameter.

References

WEBhttps://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102 WEBhttps://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-14173 WEBhttps://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

Access Control

CWE-862

Missing Authorization

Ecosystems

Timeline

PublishedJan 14, 2026

ModifiedJan 14, 2026