CVE-2025-12975 Overview
CVE-2025-12975 affects the CTX Feed – WooCommerce Product Feed Manager plugin for WordPress. The plugin is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function. All versions up to and including 6.6.11 are affected. Authenticated attackers holding Shop Manager-level access or above can install arbitrary plugins. Attackers can leverage this primitive to achieve remote code execution on the underlying WordPress host. The flaw is classified as Missing Authorization [CWE-862].
Critical Impact
Authenticated Shop Manager accounts can install arbitrary WordPress plugins, enabling full remote code execution and site takeover.
Affected Products
- CTX Feed – WooCommerce Product Feed Manager plugin for WordPress
- All versions up to and including 6.6.11
- WordPress sites running WooCommerce with the webappick-product-feed-for-woocommerce plugin installed
Discovery Timeline
- 2026-02-19 - CVE-2025-12975 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12975
Vulnerability Analysis
The vulnerability resides in the woo_feed_plugin_installing() function exposed by the CTX Feed plugin. The function performs plugin installation logic but omits a WordPress capability check before executing privileged operations. As a result, any authenticated user with Shop Manager privileges or higher can invoke the function and trigger installation of an attacker-supplied plugin slug. WordPress plugin installation runs PHP code on the server, so this primitive directly yields arbitrary code execution. The vulnerability is exploitable over the network through the standard WordPress administrative request flow.
Root Cause
The root cause is a missing authorization check, tracked as [CWE-862]. WordPress provides the current_user_can() helper and capability strings such as install_plugins and activate_plugins, which gate sensitive operations to administrators. The woo_feed_plugin_installing() handler does not invoke this check, so the plugin trusts the WooCommerce role boundary instead of the install-plugins capability. Shop Manager is a WooCommerce role intended for store operations and does not normally hold install_plugins, so the missing check effectively grants those rights to a lower-privileged role.
Attack Vector
An attacker first authenticates to the target site using a Shop Manager or higher account, which can be obtained through credential reuse, phishing, or a chained vulnerability. The attacker then issues a request to the plugin endpoint that invokes woo_feed_plugin_installing() with a target plugin slug or archive reference. WordPress fetches and installs the plugin, after which the attacker activates it or triggers its loader. Loading a malicious plugin executes attacker-controlled PHP within the WordPress process, yielding code execution under the web server user.
No public proof-of-concept code is referenced in the advisory. See the Wordfence Vulnerability Report and the WordPress Plugin Change Log for fix details.
Detection Methods for CVE-2025-12975
Indicators of Compromise
- Unexpected plugins present under wp-content/plugins/ that do not match the site's deployment manifest.
- HTTP POST requests to admin-ajax or admin-post endpoints invoking woo_feed_plugin_installing from Shop Manager accounts.
- New .php files created in plugin directories with timestamps that correlate to Shop Manager session activity.
- Outbound HTTP requests from the WordPress host to downloads.wordpress.org or arbitrary URLs immediately followed by plugin directory writes.
Detection Strategies
- Audit the WordPress options table and active_plugins value for plugins not approved by change control.
- Hunt webserver access logs for requests containing action=woo_feed_plugin_installing and correlate with the authenticated user role.
- Compare installed plugin inventory against a known-good baseline on a recurring schedule.
Monitoring Recommendations
- Forward WordPress and PHP-FPM logs to a centralized log platform and alert on plugin installation events outside maintenance windows.
- Monitor file integrity for the wp-content/plugins/ directory and flag unexpected new directories or PHP files.
- Track authentication events for Shop Manager and higher roles, alerting on logins from new IP addresses or user agents.
How to Mitigate CVE-2025-12975
Immediate Actions Required
- Update the CTX Feed – WooCommerce Product Feed Manager plugin to a version newer than 6.6.11 as published on the Webappick WooCommerce Plugin Page.
- Audit all accounts with Shop Manager role or higher and rotate credentials for any account that cannot be verified.
- Review the installed plugin list and remove any plugins not part of the approved baseline.
- Enforce multi-factor authentication for all WordPress accounts with administrative or store-management privileges.
Patch Information
The vendor addressed the issue in a release tracked by the WordPress Plugin Change Log. The fix adds a capability check to the woo_feed_plugin_installing() handler so that only users holding the install_plugins capability can invoke plugin installation. Site operators should apply the latest plugin release through the WordPress plugin updater.
Workarounds
- Set the WordPress constant define('DISALLOW_FILE_MODS', true); in wp-config.php to block all plugin and theme installations until patching is possible.
- Restrict access to /wp-admin/ by source IP using web server or WAF rules while the patch is being staged.
- Temporarily deactivate the CTX Feed plugin if it is not required for current store operations.
# Configuration example: block plugin installs site-wide via wp-config.php
sudo tee -a /var/www/html/wp-config.php > /dev/null <<'EOF'
define('DISALLOW_FILE_MODS', true);
EOF
# Verify the constant is loaded
wp config get DISALLOW_FILE_MODS --path=/var/www/html
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
