Skip to main content

WordPress CVE-2025-62925

MEDIUM
Missing Authorization (CWE-862)
2025-10-27 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Severity Changed
Apr 23, 2026 - 15:43 NVD
HIGH MEDIUM
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.1 (HIGH) 5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
HIGH 8.1

DescriptionCVE.org

Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.13.

AnalysisAI

Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.

Technical ContextAI

This is a Missing Authorization vulnerability (CWE-862) in the Conversios.io WordPress plugin for WooCommerce enhanced e-commerce tracking and analytics. CWE-862 represents failures where security-critical operations execute without verifying that the user has appropriate permission to perform the requested action. WordPress plugins must implement capability checks (using functions like current_user_can()) before executing privileged operations. This vulnerability stems from incorrectly configured or completely absent access control checks on plugin endpoints or functionality, allowing any authenticated user to perform actions that should be restricted to administrators or specific roles. The affected plugin integrates with Google Analytics, Facebook Pixel, and other marketing platforms, handling sensitive e-commerce data including customer information, order details, and conversion tracking configurations.

Affected ProductsAI

The vulnerability affects WordPress sites running the Conversios.io (Enhanced E-Commerce for WooCommerce Store) plugin in all versions from the initial release through version 7.2.13 inclusive. This plugin provides Google Analytics 4, Facebook Pixel, and enhanced e-commerce tracking integration for WooCommerce stores. The vendor Conversios develops this plugin which has significant adoption among WooCommerce merchants for tracking customer journeys and conversion analytics. According to the Patchstack advisory referenced, the vulnerability was present in version 7.2.10 and persisted through at least version 7.2.13, suggesting multiple vulnerable releases in active deployment. WordPress administrators can verify their installation version through the WordPress admin panel under Plugins or by checking the plugin header in wp-content/plugins/enhanced-e-commerce-for-woocommerce-store/enhanced-e-commerce-for-woocommerce-store.php.

RemediationAI

WordPress administrators should immediately update the Conversios.io plugin to version 7.2.14 or later if available, as versions through 7.2.13 are confirmed vulnerable. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Enhanced E-Commerce for WooCommerce Store, and apply available updates. If an updated version is not yet available through the WordPress repository, consider temporarily deactivating the plugin until a patched version is released, particularly on sites with untrusted authenticated users. Review user accounts and ensure the principle of least privilege is enforced, removing unnecessary user accounts and demoting users to subscriber or customer roles if they do not require elevated permissions. Audit plugin configuration and analytics data access logs if available to identify any unauthorized access that may have occurred prior to patching. Consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/enhanced-e-commerce-for-woocommerce-store/vulnerability/wordpress-conversios-io-plugin-7-2-10-broken-access-control-vulnerability for additional technical details and vendor response timeline. Monitor the official Conversios plugin changelog and security advisories for patch release announcements.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-62925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy