WordPress
CVE-2025-62925
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.13.
AnalysisAI
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
Technical ContextAI
This is a Missing Authorization vulnerability (CWE-862) in the Conversios.io WordPress plugin for WooCommerce enhanced e-commerce tracking and analytics. CWE-862 represents failures where security-critical operations execute without verifying that the user has appropriate permission to perform the requested action. WordPress plugins must implement capability checks (using functions like current_user_can()) before executing privileged operations. This vulnerability stems from incorrectly configured or completely absent access control checks on plugin endpoints or functionality, allowing any authenticated user to perform actions that should be restricted to administrators or specific roles. The affected plugin integrates with Google Analytics, Facebook Pixel, and other marketing platforms, handling sensitive e-commerce data including customer information, order details, and conversion tracking configurations.
Affected ProductsAI
The vulnerability affects WordPress sites running the Conversios.io (Enhanced E-Commerce for WooCommerce Store) plugin in all versions from the initial release through version 7.2.13 inclusive. This plugin provides Google Analytics 4, Facebook Pixel, and enhanced e-commerce tracking integration for WooCommerce stores. The vendor Conversios develops this plugin which has significant adoption among WooCommerce merchants for tracking customer journeys and conversion analytics. According to the Patchstack advisory referenced, the vulnerability was present in version 7.2.10 and persisted through at least version 7.2.13, suggesting multiple vulnerable releases in active deployment. WordPress administrators can verify their installation version through the WordPress admin panel under Plugins or by checking the plugin header in wp-content/plugins/enhanced-e-commerce-for-woocommerce-store/enhanced-e-commerce-for-woocommerce-store.php.
RemediationAI
WordPress administrators should immediately update the Conversios.io plugin to version 7.2.14 or later if available, as versions through 7.2.13 are confirmed vulnerable. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Enhanced E-Commerce for WooCommerce Store, and apply available updates. If an updated version is not yet available through the WordPress repository, consider temporarily deactivating the plugin until a patched version is released, particularly on sites with untrusted authenticated users. Review user accounts and ensure the principle of least privilege is enforced, removing unnecessary user accounts and demoting users to subscriber or customer roles if they do not require elevated permissions. Audit plugin configuration and analytics data access logs if available to identify any unauthorized access that may have occurred prior to patching. Consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/enhanced-e-commerce-for-woocommerce-store/vulnerability/wordpress-conversios-io-plugin-7-2-10-broken-access-control-vulnerability for additional technical details and vendor response timeline. Monitor the official Conversios plugin changelog and security advisories for patch release announcements.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today