Thank You Page Customizer for WooCommerce < 1.1.9 – Missing Authorization | CVE 2025-66528 | Plugin Vulnerabilities

Description

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

woo-thank-you-page-customizer

Fixed in 1.1.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/956fa041-1a48-4a88-a78b-a1617540d6dc

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

a9f01c0d-66e2-4013-a34b-5f3dde5916fa

Timeline

Publicly Published

2025-12-05 (about 6 months ago)

Added

2025-12-11 (about 6 months ago)

Last Updated

2025-12-11 (about 6 months ago)

Other

Published

Title

Published

2024-02-01

Title

Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update

Published

2024-11-28

Title

Chatter <= 1.0.1 - Missing Authorization

Published

2025-12-31

Title

Countdowner for Elementor <= 1.0.4 - Missing Authorization

Published

2025-12-29

Title

Arcane <= 3.6.6 - Missing Authorization

Published

2023-11-06

Title

Seraphinite Accelerator < 2.20.32 - Unauthorised Settings Reset/Import