WordPress Plugin Vulnerabilities

WowStore < 4.2.5 - Missing Authorization

Description

The WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
product-blocks
Fixed in 4.2.5

References

CVE
CVE-2025-39571
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c89fce-afef-4b5a-92c3-41bcfb382978

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
astra.r3verii
Verified
No
WPVDB ID
c1f00e79-74ca-409f-996a-a244a8cddb06

Timeline

Publicly Published
2025-04-16 (about 1 year ago)
Added
2025-04-21 (about 1 year ago)
Last Updated
2025-04-21 (about 1 year ago)

Other

Published
Title
Published
2025-09-10
Title
My WP Translate <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-02-24
Title
Sticky Header On Scroll <= 1.0 - Missing Authorization
Published
2023-07-25
Title
Ninja Forms < 3.6.26 - Contributor+ Form Entries Export
Published
2022-11-01
Title
Permalink Manager Lite < 2.2.20.1 - Unauthenticated URI Deletion
Published
2025-07-03
Title
WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Arbitrary User Deletion via ajax_delete_employee Function