{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25443", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.964Z", "datePublished": "2026-03-19T08:36:32.093Z", "dateUpdated": "2026-04-28T16:14:59.203Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers", "product": "Fraud Prevention For Woocommerce", "vendor": "Dotstore", "versions": [{"changes": [{"at": "2.3.4", "status": "unaffected"}], "lessThanOrEqual": "2.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:43:54.809Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.3.</p>"}], "value": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.203Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-2-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Fraud Prevention For Woocommerce plugin <= 2.3.3 - Arbitrary Content Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:56:26.700948Z", "id": "CVE-2026-25443", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:56:58.719Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25443", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:56:26.700948Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:56:51.306Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Fraud Prevention For Woocommerce plugin <= 2.3.3 - Arbitrary Content Deletion vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dotstore", "product": "Fraud Prevention For Woocommerce", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.3.3"}], "packageName": "woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-2-arbitrary-content-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through 2.3.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Fraud Prevention For Woocommerce: from n/a through 2.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:36:32.093Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25443", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:56:58.719Z", "dateReserved": "2026-02-02T12:53:40.964Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:36:32.093Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.3."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Dotstore Fraud Prevention For Woocommerce permite la Explotaci\u00f3n de Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Fraud Prevention For Woocommerce: desde n/a hasta 2.3.3."}], "id": "CVE-2026-25443", "lastModified": "2026-04-23T15:37:10.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:17.453", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-2-arbitrary-content-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Fraud Prevention For Woocommerce", "source": "cna", "vendor": "Dotstore"}, "product": "fraud_prevention_for_woocommerce", "vendor": "dotstore"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:15:19.615290+00:00", "value": {"mitigation_remediation": ["Upgrade the Fraud Prevention For Woocommerce plugin to any version newer than 2.3.3.", "If an upgrade is not immediately possible, restrict plugin administration to trusted user roles and consider disabling the plugin for accounts that do not require its functionality.", "Enable WordPress audit logging to track delete operations and perform regular backups so deleted data can be restored."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized content deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Dotstore Fraud Prevention For Woocommerce plugin\u2014also known as woo\u2011blocker\u2011lite\u2011prevent\u2011fake\u2011orders\u2011and\u2011blacklist\u2011fraud\u2011customers\u2014in any released version up through 2.3.3 are affected. Sites running a newer version are not vulnerable.", "description_and_impact": "A missing authorization flaw (CWE\u2011862) in the Dotstore Fraud Prevention For Woocommerce plugin allows an attacker to delete any content, including posts, pages, or orders, because the access\u2011control checks fail to verify proper permissions before deletion is processed. The flaw arises from incorrectly configured security levels that do not enforce role\u2011based restrictions on delete operations, thereby compromising the integrity of the site\u2019s data.", "risk_and_exploitability": "The EPSS score is below 1%, with a CVSS score of 7.5, and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of exploitation. The likely attack vector is an authenticated user who gains privileged access to the plugin\u2019s back\u2011end, either through credential compromise or by exploiting other authentication weaknesses. Once authenticated, the attacker can invoke the deletion endpoint and remove arbitrary content, leading to loss of data and potential service disruption. The impact covers integrity and availability, and the overall risk warrants prompt remediation."}}}}, "created": "2026-03-20T08:57:04.074837+00:00", "updated": "2026-04-28T22:15:41.375799+00:00", "vendors": ["dotstore", "dotstore$PRODUCT$fraud_prevention_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}