How to fix CVE-2025-47463?

Within 24 hours: Audit active installations of Stock Locations for WooCommerce and document version numbers; disable the plugin if version 2.8.6 or earlier is detected. Within 7 days: Identify alternative inventory management solutions or contact the vendor for timeline on patch availability; implement network-level monitoring for suspicious access patterns to the plugin endpoints. Within 30 days: Deploy the vendor patch immediately upon release; conduct access control audit across all WooCommerce inventory features; review logs for potential unauthorized access during the vulnerability window.

Is Woocommerce affected by CVE-2025-47463?

A missing authorization vulnerability in the Stock Locations for WooCommerce plugin (versions through 2.8.6) could allow attackers to bypass access controls and manipulate inventory data without proper authentication.

CVE-2025-47463

EUVD-2025-17515 HIGH

2025-06-09 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17515

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 16:15 nvd

HIGH 7.1

Description

Missing Authorization vulnerability in Fahad Mahmood Stock Locations for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stock Locations for WooCommerce: from n/a through 2.8.6.

Analysis

Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.

Technical Context

The vulnerability exists in the Stock Locations for WooCommerce plugin, which extends WooCommerce's e-commerce functionality to manage inventory across multiple warehouse or storage locations. The root cause is CWE-862 (Missing Authorization), indicating the plugin fails to properly enforce role-based access control (RBAC) checks before executing sensitive operations. Rather than verifying user capabilities via WordPress's capability system (e.g., manage_woocommerce, edit_products), the plugin likely exposes administrative or restricted endpoints to authenticated users without sufficient privilege validation. This affects the plugin across all versions from the initial release through version 2.8.6, with the vulnerability residing in action handlers, AJAX endpoints, or REST API routes that interact with stock location data. CPE identifier would be: cpe:2.3:a:fahad_mahmood:stock_locations_for_woocommerce:*:*:*:*:*:wordpress:*:* (versions <=2.8.6).

Affected Products

Stock Locations for WooCommerce (0.0.0 through 2.8.6 (inclusive))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2025-47463 vulnerability details – vuln.today

Back

CVE-2025-47463

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-47463

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code