CVE-2025-49888

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in pimwick PW WooCommerce On Sale! pw-woocommerce-on-sale allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PW WooCommerce On Sale!: from n/a through <= 1.39.

AnalysisAI

Missing authorization in PW WooCommerce On Sale plugin up to version 1.39 allows attackers to exploit incorrectly configured access controls, potentially accessing restricted functionality without proper permission verification. This WordPress plugin vulnerability affects all versions through 1.39 and has low exploitation probability (EPSS 0.07%, percentile 22%), with no confirmed active exploitation or public exploit code identified at time of analysis.

Technical ContextAI

PW WooCommerce On Sale is a WordPress plugin that manages product sales functionality in WooCommerce stores. The vulnerability stems from CWE-862 (Missing Authorization), a flaw in access control logic where the plugin fails to properly verify user permissions before allowing access to sensitive operations or data. The root cause involves incorrectly configured security levels that do not enforce proper authentication or authorization checks on API endpoints, admin functions, or AJAX handlers. This allows attackers to bypass intended access restrictions, though the specific endpoint or functionality affected is not detailed in available disclosures.

Affected ProductsAI

PW WooCommerce On Sale plugin by pimwick is affected in all versions from initial release through version 1.39. The plugin is distributed via the WordPress plugin repository and affects WooCommerce-based e-commerce sites running WordPress. CPE data not provided in available intelligence, but the plugin can be identified as wordpress/plugin/pw-woocommerce-on-sale.

RemediationAI

Upgrade PW WooCommerce On Sale plugin to version 1.40 or later, which addresses the missing authorization vulnerability. Site administrators should navigate to Plugins > Installed Plugins in WordPress dashboard and click Update next to PW WooCommerce On Sale, or use the WordPress CLI command wp plugin update pw-woocommerce-on-sale. Verify the plugin functionality after upgrade, particularly any admin-level features or customer-facing sale controls. For detailed remediation information and patch confirmation, consult the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/pw-woocommerce-on-sale/vulnerability/wordpress-pw-woocommerce-on-sale-1-39-broken-access-control-vulnerability

Share

CVE-2025-49888 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy