CTX Feed – WooCommerce Product Feed Manager < 6.6.12 – Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation | CVE 2025-12975 | Plugin Vulnerabilities

Description

The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.

Affects Plugins

webappick-product-feed-for-woocommerce

Fixed in 6.6.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f77f4cd-f4b3-42bc-a1a9-e5df5daa42b7

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

DityaRA

Verified

No

WPVDB ID

52c81198-9435-4e7b-aa40-1d0b1d31dfbc

Timeline

Publicly Published

2026-02-18 (about 3 months ago)

Added

2026-02-18 (about 3 months ago)

Last Updated

2026-02-19 (about 3 months ago)

Other

Published

Title

Published

2023-11-23

Title

SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure

Published

2026-01-11

Title

WP Popups < 2.2.0.6 - Missing Authorization

Published

2025-12-15

Title

Cookie Notice for GDPR, CCPA & ePrivacy Consent < 4.0.8 - Missing Authorization

Published

2023-12-05

Title

Webflow Pages < 1.1.0 - Missing Authorization

Published

2025-10-23

Title

NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update