WebToffee eCommerce Marketing Automation < 2.1.2 – Missing Authorization | CVE 2025-67599 | Plugin Vulnerabilities

Description

The WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

decorator-woocommerce-email-customizer

Fixed in 2.1.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/961f4a7d-ca95-4c2c-8355-9d1d65cb614d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Legion Hunter

Verified

No

WPVDB ID

c3122264-1d57-4453-91cd-2492e812ee47

Timeline

Publicly Published

2025-10-30 (about 6 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-11 (about 5 months ago)

Other

Published

Title

Published

2024-07-10

Title

iPanorama 360 WordPress Virtual Tour Builder < 1.8.4 - Missing Authorization

Published

2026-04-27

Title

Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion

Published

2026-02-14

Title

RPS Include Content <= 1.2.2 - Missing Authorization

Published

2024-08-16

Title

Radio Player < 2.0.74 - Missing Authorization to Player Update

Published

2025-12-12

Title

Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion