CVE-2025-12975 Overview
A missing capability check vulnerability exists in the CTX Feed – WooCommerce Product Feed Manager plugin for WordPress. The vulnerability is present in the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This authorization bypass allows authenticated attackers with Shop Manager-level access and above to install arbitrary plugins, which can be leveraged to achieve remote code execution on vulnerable WordPress installations.
Critical Impact
Authenticated attackers with Shop Manager privileges can install arbitrary plugins, potentially leading to complete site compromise through remote code execution.
Affected Products
- CTX Feed – WooCommerce Product Feed Manager plugin for WordPress versions up to and including 6.6.11
- WordPress installations with the vulnerable plugin active
- WooCommerce stores using WebAppick Product Feed for WooCommerce
Discovery Timeline
- 2026-02-19 - CVE CVE-2025-12975 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-12975
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software component does not perform an authorization check when an actor attempts to access a resource or perform an action. In this case, the woo_feed_plugin_installing() function lacks proper capability verification, allowing users with lower privilege levels than intended to install arbitrary plugins.
The attack requires network access and can be performed without user interaction. An attacker with Shop Manager credentials can exploit this flaw to install malicious plugins, effectively gaining the ability to execute arbitrary code on the WordPress server. While Shop Manager is typically a trusted role within WooCommerce, this vulnerability allows actions that should be restricted to higher privilege levels such as administrators.
Root Cause
The root cause is a missing capability check in the woo_feed_plugin_installing() function. WordPress plugin developers should implement proper authorization checks using functions like current_user_can() to verify that the current user has appropriate permissions (such as install_plugins capability) before performing sensitive operations. The absence of this check allows the function to be called by any authenticated user with Shop Manager-level access or above.
Attack Vector
The vulnerability is exploitable over the network by authenticated users. An attacker must first obtain valid Shop Manager credentials for the target WordPress site. Once authenticated, the attacker can invoke the vulnerable function to install arbitrary plugins from the WordPress repository or potentially malicious plugin packages. This enables a privilege escalation attack chain where the attacker can install a plugin containing backdoor functionality, achieving remote code execution on the server.
The vulnerability mechanism involves an authorization bypass through the missing capability check. When a Shop Manager or higher-privileged user calls the woo_feed_plugin_installing() function, the plugin fails to verify whether the user has the install_plugins capability. This allows plugin installation to proceed regardless of the user's actual authorization level for such operations. For technical details, see the Wordfence Vulnerability Report and the WordPress Changeset Update.
Detection Methods for CVE-2025-12975
Indicators of Compromise
- Unexpected plugins installed on WordPress sites where CTX Feed plugin is active
- WordPress audit logs showing plugin installations by Shop Manager accounts
- New or unfamiliar plugins appearing without administrator approval
- Suspicious PHP files or backdoors in the wp-content/plugins/ directory
Detection Strategies
- Monitor WordPress audit logs for plugin installation events initiated by non-administrator users
- Review the list of installed plugins for unauthorized or unknown entries
- Implement file integrity monitoring on the wp-content/plugins/ directory
- Check for unexpected outbound network connections from the WordPress server
Monitoring Recommendations
- Enable and regularly review WordPress activity logs, particularly for Shop Manager accounts
- Deploy web application firewall (WAF) rules to detect and block unauthorized plugin installation attempts
- Implement SentinelOne Singularity to monitor for post-exploitation activities following unauthorized plugin installation
How to Mitigate CVE-2025-12975
Immediate Actions Required
- Update CTX Feed – WooCommerce Product Feed Manager plugin to a version newer than 6.6.11
- Audit existing Shop Manager accounts and remove unnecessary privileges
- Review installed plugins for any unauthorized additions
- Consider temporarily disabling the vulnerable plugin until the patch is applied
Patch Information
A security patch has been released to address this vulnerability. The fix adds proper capability checks to the woo_feed_plugin_installing() function. Users should update to the latest version available through the WordPress plugin repository. The changeset implementing the fix can be reviewed at the WordPress Changeset Update.
Workarounds
- Restrict Shop Manager role capabilities using a role management plugin until the patch is applied
- Implement additional access controls through .htaccess or server configuration to limit access to plugin administration functions
- Use a web application firewall to filter requests targeting the vulnerable function
# Check installed plugin version
wp plugin list --name=webappick-product-feed-for-woocommerce --fields=name,version
# Update the plugin to the latest version
wp plugin update webappick-product-feed-for-woocommerce
# Audit recently installed plugins
wp plugin list --recently-active --fields=name,status,update_version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
