{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11269", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-03T20:10:38.492Z", "datePublished": "2025-10-25T05:31:17.552Z", "dateUpdated": "2026-04-08T16:32:59.075Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:59.075Z"}, "affected": [{"vendor": "woobewoo", "product": "Product Filter for WooCommerce by WBW", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings."}], "title": "Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03b1d518-0e5d-4c28-af04-52611ad583a8?source=cve"}, {"url": "https://github.com/wpcodefactory/woo-product-filter/commit/313f69908cadc31fa9c1e098ff989dc4f75dfdb5"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382669%40woo-product-filter&new=3382669%40woo-product-filter&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-10-21T12:30:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T17:28:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:45:02.383078Z", "id": "CVE-2025-11269", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:57:12.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11269", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:45:02.383078Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:45:19.567Z"}}], "cna": {"title": "Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "woobewoo", "product": "Product Filter for WooCommerce by WBW", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T12:30:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T17:28:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03b1d518-0e5d-4c28-af04-52611ad583a8?source=cve"}, {"url": "https://github.com/wpcodefactory/woo-product-filter/commit/313f69908cadc31fa9c1e098ff989dc4f75dfdb5"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382669%40woo-product-filter&new=3382669%40woo-product-filter&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:59.075Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11269", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:59.075Z", "dateReserved": "2025-10-03T20:10:38.492Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:17.552Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings."}], "id": "CVE-2025-11269", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:35.107", "references": [{"source": "security@wordfence.com", "url": "https://github.com/wpcodefactory/woo-product-filter/commit/313f69908cadc31fa9c1e098ff989dc4f75dfdb5"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3382669%40woo-product-filter&new=3382669%40woo-product-filter&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03b1d518-0e5d-4c28-af04-52611ad583a8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:53:07.784711+00:00", "value": {"mitigation_remediation": ["Upgrade Product Filter for WooCommerce by WBW to a version newer than 3.0.0 to eliminate the missing capability check.", "If an upgrade is not immediately possible, restrict the 'approveNotice' action so that it only accepts requests from users with administrator privileges, or disable the plugin\u2019s settings page for non-admin roles.", "Audit WordPress user accounts for any non-admin users with full access and remove or role-restrict them, and monitor the plugin's configuration for unexpected changes."], "summary": {"action": "Patch Now", "impact": "Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "The affected product is Product Filter for WooCommerce by WBW, commonly known as the Product Filter by WBW plugin. All releases through version 3.0.0 are affected; newer releases (3.0.1 and beyond) are not documented as vulnerable. Any WordPress site deploying the plugin at or below this version should review its installation.", "description_and_impact": "The Product Filter by WBW plugin for WordPress lacks a capability check on the 'approveNotice' action in all versions up to 3.0.0, allowing any unauthenticated user to modify the plugin's settings. This missing authorization check can permit attackers to change configuration options, potentially disabling protective features or enabling malicious behaviors. The primary impact is unauthorized modification of plugin settings that could compromise site functionality and security.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Attackers can exploit the flaw by accessing the plugin's admin settings page without authentication, sending a request to the 'approveNotice' endpoint. Because the vulnerability applies to unauthenticated users, no prior permissions are needed, making it a relatively low-bar threat, but still significant due to the potential for broad configuration changes."}}}}, "created": "2025-10-27T22:10:18.906732+00:00", "updated": "2026-04-22T22:00:18.079891+00:00", "vendors": ["woobewoo", "woobewoo$PRODUCT$product_filter", "wordpress", "wordpress$PRODUCT$wordpress"]}