{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5813", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-06T16:06:46.182Z", "datePublished": "2025-06-26T02:22:22.986Z", "dateUpdated": "2026-04-08T17:12:14.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:14.099Z"}, "affected": [{"vendor": "suhailahmad64", "product": "Amazon Products to WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces."}], "title": "Amazon Products to WooCommerce <= 1.2.7 - Missing Authorization to Unauthenticated Arbitrary Product Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0906540-46fc-4f76-9265-cb87c6340fad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/functions.php#L266"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-06-25T14:07:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:22:24.584436Z", "id": "CVE-2025-5813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:22:38.596Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:22:24.584436Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:22:33.285Z"}}], "cna": {"title": "Amazon Products to WooCommerce <= 1.2.7 - Missing Authorization to Unauthenticated Arbitrary Product Creation", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "suhailahmad64", "product": "Amazon Products to WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T14:07:55.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0906540-46fc-4f76-9265-cb87c6340fad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/functions.php#L266"}], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-26T02:22:22.986Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5813", "state": "PUBLISHED", "dateUpdated": "2025-06-26T13:22:38.596Z", "dateReserved": "2025-06-06T16:06:46.182Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:22:22.986Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suhailahmad64:amazon_products_to_woocommerce:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0DC397EF-BDEE-420B-A9EB-044427283169", "versionEndIncluding": "1.2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces."}, {"lang": "es", "value": "El complemento Amazon Products to WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n wcta2w_get_amazon_product_callback() en todas las versiones hasta la 1.2.7 incluida. Esto permite que atacantes no autenticados creen nuevos productos."}], "id": "CVE-2025-5813", "lastModified": "2025-07-07T16:04:42.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-26T03:15:24.800", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/import-products-to-wc/trunk/inc/functions.php#L266"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0906540-46fc-4f76-9265-cb87c6340fad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:01:15.584005+00:00", "value": {"mitigation_remediation": ["Upgrade the Amazon Products to WooCommerce plugin to the latest version that includes a proper capability check.", "If an update is not available or the plugin is not needed, remove it entirely from the WordPress installation to eliminate the attack surface.", "Configure WordPress role and capability settings to ensure that only authorized administrators or shop managers can create WooCommerce products; verify that no other user role has the capability to access the callback endpoint."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Product Creation"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Amazon Products to WooCommerce plugin version 1.2.7 or earlier are affected. The plugin is developed by the vendor suhailahmad64 and is distributed through the WordPress plugin repository. Any installation of the plugin prior to version 1.2.8 is vulnerable.", "description_and_impact": "The Amazon Products to WooCommerce plugin contains a missing capability check in the wcta2w_get_amazon_product_callback() function. This omission permits unauthenticated attackers to invoke the callback and create new WooCommerce products without proper authorization. The vulnerability could be abused to inject unwanted products into a store, potentially leading to defacement, misinformation, or redirecting traffic to malicious content. The attack consumes only the ability to send an HTTP request to the plugin\u2019s callback endpoint, with no need for elevated privileges or complex setup.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by sending a crafted request to the exposed callback endpoint; no additional authentication is required, so the vector is likely web-based and publicly reachable. Although the risk remains moderate, the lack of authorization makes the flaw significant enough to warrant prompt remediation."}}}}, "created": "2026-04-21T20:15:44.572257+00:00", "updated": "2026-04-21T20:15:44.572269+00:00", "vendors": []}