{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68022", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:59.033Z", "datePublished": "2026-02-20T15:46:34.974Z", "dateUpdated": "2026-04-28T16:14:26.504Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bluex-for-woocommerce", "product": "Plugin BlueX for WooCommerce", "vendor": "soporteblue", "versions": [{"lessThanOrEqual": "3.1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:24.381Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.</p>"}], "value": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.504Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bluex-for-woocommerce/vulnerability/wordpress-plugin-bluex-for-woocommerce-plugin-3-1-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Plugin BlueX for WooCommerce plugin <= 3.1.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:28:12.413676Z", "id": "CVE-2025-68022", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:28:15.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68022", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:28:12.413676Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:49:27.863Z"}}], "cna": {"title": "WordPress Plugin BlueX for WooCommerce plugin <= 3.1.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "soporteblue", "product": "Plugin BlueX for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.6"}], "packageName": "bluex-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:24.381Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bluex-for-woocommerce/vulnerability/wordpress-plugin-bluex-for-woocommerce-plugin-3-1-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.765Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68022", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:28:15.127Z", "dateReserved": "2025-12-15T10:00:59.033Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:34.974Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en el plugin soporteblue BlueX para WooCommerce bluex-for-woocommerce permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta al plugin BlueX para WooCommerce: desde n/a hasta &lt;= 3.1.6."}], "id": "CVE-2025-68022", "lastModified": "2026-04-27T19:16:22.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:07.247", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bluex-for-woocommerce/vulnerability/wordpress-plugin-bluex-for-woocommerce-plugin-3-1-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Plugin BlueX for WooCommerce", "source": "cna", "vendor": "soporteblue"}, "product": "plugin_bluex_for_woocommerce", "vendor": "soporteblue"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:40:11.174897+00:00", "value": {"mitigation_remediation": ["Update the Plugin BlueX for WooCommerce to a version newer than 3.1.6 as released by soporteblue.", "If an update is not immediately available, temporarily disable or uninstall the plugin until the fix is released.", "Reconfigure the plugin\u2019s access settings to ensure that only appropriate user roles can perform administrative functions."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to administrative functions"}, "threat_synthesis": {"affected_systems": "The affected product is the soporteblue Plugin BlueX for WooCommerce. Versions from the earliest available through 3.1.6 are impacted. The plugin is used within WordPress sites that rely on WooCommerce for online sales.", "description_and_impact": "This vulnerability stems from a missing authorization check in the soporteblue Plugin BlueX for WooCommerce. The incorrect access control allows an attacker to exploit functions that should be restricted to privileged users. By sending specially crafted requests, an unauthorized user could gain access to administrative features and potentially modify or delete e\u2011commerce data, harming confidentiality and integrity of the store.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.3, indicating moderate to high severity. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation at this time, and it is not currently listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthorized access to critical shop functions, attackers could potentially alter orders or manage product data. Remote exploitation via the web interface is likely, and the attack requires only publicly reachable endpoints without special credentials."}}}}, "created": "2026-02-23T14:45:51.835486+00:00", "updated": "2026-04-28T17:45:16.137634+00:00", "vendors": ["soporteblue", "soporteblue$PRODUCT$plugin_bluex_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}