{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14173", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T22:13:26.091Z", "datePublished": "2026-01-14T06:40:07.972Z", "dateUpdated": "2026-04-08T17:23:24.729Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:24.729Z"}, "affected": [{"vendor": "perfitdev", "product": "Perfit WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter."}], "title": "Perfit WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-13T17:28:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T19:29:49.763952Z", "id": "CVE-2025-14173", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T20:25:32.624Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14173", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T19:29:49.763952Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T19:46:22.226Z"}}], "cna": {"title": "Perfit WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "perfitdev", "product": "Perfit WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T17:28:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102"}, {"url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102"}], "descriptions": [{"lang": "en", "value": "The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:24.729Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14173", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:24.729Z", "dateReserved": "2025-12-05T22:13:26.091Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T06:40:07.972Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter."}, {"lang": "es", "value": "El plugin Perfit WooCommerce para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 1.0.1, inclusive. Esto se debe a la falta de comprobaciones de autorizaci\u00f3n en la funci\u00f3n 'logout' llamada a trav\u00e9s de la funci\u00f3n 'actions' enganchada a 'admin_init'. Esto hace posible que atacantes no autenticados eliminen configuraciones arbitrarias del plugin a trav\u00e9s del par\u00e1metro 'action'."}], "id": "CVE-2025-14173", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T07:16:11.997", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:25:24.809498+00:00", "value": {"mitigation_remediation": ["Update the Perfit WooCommerce plugin to the latest version (1.0.2 or newer) which removes the missing authorization check", "Limit access to the WordPress admin area by restricting the wp-admin endpoint to trusted IP addresses or VPN connections", "If an update cannot be applied immediately, disable or remove the plugin until a patch is available"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Deletion of Plugin Settings"}, "threat_synthesis": {"affected_systems": "All installations of the Perfit WooCommerce plugin released by perfitdev, up through version 1.0.1, are affected. The issue resides in the code managing the settings tab and impacts any site running these versions.", "description_and_impact": "The Perfit WooCommerce plugin contains a missing authorization check on the logout function that is invoked via an admin_init hook. This flaw allows an attacker, without authentication, to provide an action parameter that triggers the deletion of any plugin setting. The vulnerability is classified as CWE\u2011862 and can result in loss of e\u2011commerce configuration, potentially disabling store features, disrupting checkout workflows, or enabling further malicious actions.", "risk_and_exploitability": "The CVSS score of 5.3 places the flaw in the moderate severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is likely remote via HTTP requests to the WordPress admin interface; this inference is based on the described missing authorization on the admin_init hook and the lack of authentication requirements."}}}}, "created": "2026-01-15T08:04:00.589175+00:00", "updated": "2026-04-21T00:30:22.974465+00:00", "vendors": ["perfitdev", "perfitdev$PRODUCT$perfit_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}