CVE-2025-14173

Description

The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.

PUBLISHED Reserved 2025-12-05 | Published 2026-01-14 | Updated 2026-01-14 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Abhirup Konwar finder

References

www.wordfence.com/...-2585-4b58-8d91-0cdb275348a1?source=cve

plugins.trac.wordpress.org/...des/class-wcp-settings-tab.php

plugins.trac.wordpress.org/...des/class-wcp-settings-tab.php

cve.org (CVE-2025-14173)

nvd.nist.gov (CVE-2025-14173)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.