{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13314", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-17T15:01:06.519Z", "datePublished": "2025-12-12T03:20:56.597Z", "dateUpdated": "2026-04-08T17:21:49.299Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:49.299Z"}, "affected": [{"vendor": "markutos987", "product": "Filter Plus \u2013 Product Filter & WordPress Filter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "title": "Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-11T15:04:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T16:23:39.690717Z", "id": "CVE-2025-13314", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:24:27.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13314", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T16:23:39.690717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T16:24:23.792Z"}}], "cna": {"title": "Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "markutos987", "product": "Filter Plus \u2013 Product Filter & WordPress Filter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T15:04:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:49.299Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13314", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:49.299Z", "dateReserved": "2025-11-17T15:01:06.519Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:56.597Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filtering by Categories, Tags, Price Range for WooCommerce \u2013 Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options."}], "id": "CVE-2025-13314", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:40.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.7/core/admin/settings/action.php#L23"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:53:48.274161+00:00", "value": {"mitigation_remediation": ["Update Filter Plus to version 1.1.7 or later, which adds the missing capability check on the relevant AJAX actions.", "If an upgrade cannot be performed immediately, restrict the plugin\u2019s AJAX endpoints so that only authenticated users with the appropriate capabilities can access them, using a security plugin or firewall rule.", "If the plugin is not essential for the site\u2019s operation, consider uninstalling or deactivating it entirely."], "summary": {"action": "Patch Now", "impact": "Unauthorized modification of plugin settings by unauthenticated users"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running Filter Plus version 1.1.6 or older is affected. The vulnerability covers all releases up to the 1.1.6 tag, including the 1.1.5 and earlier releases referenced in the plugin\u2019s core and admin files. The affected component is the plugin\u2019s AJAX endpoint handling the \"filter_save_settings\" and \"add_filter_options\" actions.", "description_and_impact": "The Filter Plus plugin for WooCommerce is missing a capability check on the AJAX actions that save settings and add filter options. This flaw allows any unauthenticated user to modify the plugin\u2019s configuration, creating arbitrary filter options that can affect the presentation and ordering of products for all site visitors. Because the vulnerability does not alter core WordPress files or data stores outside the plugin, the impact is limited to the plugin\u2019s functionality but can still disrupt business processes relying on precise product filtering.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, and the EPSS score of less than 1% shows that exploitation is currently considered unlikely. The flaw is not listed in CISA\u2019s KEV catalog, but it remains exploitable if the plugin is enabled and accessible from the internet. Attackers can trigger the flaw by sending crafted HTTP POST requests to the plugin\u2019s AJAX endpoints \u2013 the likely attack vector is inferred from the presence of the \"filter_save_settings\" and \"add_filter_options\" actions mentioned in the source code."}}}}, "created": "2025-12-12T08:47:55.043359+00:00", "updated": "2026-04-21T01:00:12.971671+00:00", "vendors": ["markutos987", "markutos987$PRODUCT$product_filtering_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}