{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7827", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T18:56:49.261Z", "datePublished": "2025-08-23T04:25:46.212Z", "dateUpdated": "2026-04-08T16:46:00.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:00.537Z"}, "affected": [{"vendor": "anzia", "product": "Ni WooCommerce Customer Product Report", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings."}], "title": "Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35b02e79-9d31-482a-92b9-b1e8201d45f1?source=cve"}, {"url": "https://wordpress.org/plugins/ni-woocommerce-customer-product-report/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-08-22T15:50:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T17:33:19.634644Z", "id": "CVE-2025-7827", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:34:55.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T17:33:19.634644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:33:29.187Z"}}], "cna": {"title": "Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "anzia", "product": "Ni WooCommerce Customer Product Report", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T15:50:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35b02e79-9d31-482a-92b9-b1e8201d45f1?source=cve"}, {"url": "https://wordpress.org/plugins/ni-woocommerce-customer-product-report/"}], "descriptions": [{"lang": "en", "value": "The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-23T04:25:46.212Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7827", "state": "PUBLISHED", "dateUpdated": "2025-08-25T17:34:55.886Z", "dateReserved": "2025-07-18T18:56:49.261Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T04:25:46.212Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings."}, {"lang": "es", "value": "El complemento Ni WooCommerce Customer Product Report para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n ni_woocpr_action() en todas las versiones hasta la 1.2.4 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, actualicen la configuraci\u00f3n del plugin."}], "id": "CVE-2025-7827", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T05:15:32.573", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ni-woocommerce-customer-product-report/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35b02e79-9d31-482a-92b9-b1e8201d45f1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:24:32.786605+00:00", "value": {"mitigation_remediation": ["Upgrade the Ni WooCommerce Customer Product Report plugin to the latest version, which implements proper capability checks for the ni_woocpr_action() function.", "If an upgrade is not immediately possible, remove the plugin or disable it for Subscriber and other low\u2011privilege roles using role\u2011based access controls or a security plugin that restricts capability access.", "Ensure that no Subscriber or lower\u2011level role has the capability to modify WooCommerce plugin settings by reviewing and tightening role capabilities in WordPress or via a role\u2011management plugin."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Modification of Plugin Settings by Authenticated Users"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the Ni WooCommerce Customer Product Report plugin version 1.2.4 or earlier installed, regardless of active theme or other plugins. The vendor is Anzia, and the product is the Ni WooCommerce Customer Product Report plugin.", "description_and_impact": "The Ni WooCommerce Customer Product Report plugin contains a missing capability check in the ni_woocpr_action() function for all releases up to version 1.2.4. This defect allows an attacker who is logged in with a Subscriber role or higher to change the plugin\u2019s configuration settings without proper authorization. Altered settings could affect the accuracy of customer product reports, redirect data flows, or expose sensitive operational parameters, thereby compromising the integrity of the site\u2019s reporting functionality.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1\u202f%, showing that opportunistic exploitation is unlikely. It is not listed in the CISA KEV catalogue. The attack vector is inferred to be local: an authenticated user must first log into the WordPress site with at least Subscriber privileges and then submit a request to the affected endpoint. No additional exploitation prerequisites or remote code execution are documented in the official description."}}}}, "created": "2025-08-23T11:53:08.715135+00:00", "updated": "2026-04-21T03:30:26.335175+00:00", "vendors": ["anzia", "anzia$PRODUCT$ni_woocommerce_customer_product_report", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}