{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14365", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T18:23:53.612Z", "datePublished": "2025-12-13T04:31:31.757Z", "dateUpdated": "2026-04-08T17:17:48.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:48.344Z"}, "affected": [{"vendor": "dugudlabs", "product": "Eyewear prescription form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter."}], "title": "Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "timeline": [{"time": "2025-12-12T16:04:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:24:58.049913Z", "id": "CVE-2025-14365", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:33:29.383Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:24:58.049913Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:24:59.325Z"}}], "cna": {"title": "Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "dugudlabs", "product": "Eyewear prescription form", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:04:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326"}], "descriptions": [{"lang": "en", "value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-13T04:31:31.757Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14365", "state": "PUBLISHED", "dateUpdated": "2025-12-15T15:33:29.383Z", "dateReserved": "2025-12-09T18:23:53.612Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:31.757Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter."}], "id": "CVE-2025-14365", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:48.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:25:47.489939+00:00", "value": {"mitigation_remediation": ["Upgrade the Eyewear prescription form plugin to the latest released version that includes the missing authorization check.", "If an immediate upgrade is not possible, modify the plugin\u2019s RemoveItems AJAX handler to require proper user capability checks or authentication before allowing category deletions.", "Restrict the AJAX endpoint to authenticated users or specific roles, for example by adding a capability requirement such as 'manage_woocommerce' to the request handler.", "Monitor WordPress logs for unexpected category deletion events or implement a security plugin that alerts on bulk category removal requests."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Deletion of WooCommerce Product Categories"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Dugudlabs Eyewear prescription form plugin, versions up to and including 6.0.1. The flaw specifically targets environments that also run WooCommerce, since the deletion payload directly manipulates WooCommerce product categories. No specific patch version is listed in the data, but the issue applies universally to all versions up to 6.0.1.", "description_and_impact": "This vulnerability arises from a missing capability check in the RemoveItems AJAX action of the Eyewear prescription form plugin. Because the plugin fails to verify user permissions, any unauthenticated user can submit a request with the 'catIds' parameter and delete arbitrary WooCommerce product categories, including all of their child categories. The underlying weakness is a classic missing authorization flaw, classified as CWE-862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact when the flaw is exploited, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of this analysis. The vulnerability is not currently listed in the CISA KEV catalog, which reduces the likelihood of a widespread public exploit. Nonetheless, the attack vector is straightforward: an unauthenticated HTTP request to the RemoveItems AJAX endpoint with a crafted 'catIds' argument. An attacker only needs access to the WordPress site and no privileged credentials to delete product categories."}}}}, "created": "2025-12-14T21:14:55.342550+00:00", "updated": "2026-04-20T21:30:18.579839+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}