CVE-2025-14366 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-14366?

CVE-2025-14366 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and categories on WordPress sites using the Eyewear prescription form plugin. All WordPress sites with this plugin installed up to version 6.0.1 are affected. Attackers can manipulate product listings without any authentication.

📋 TL;DR

This vulnerability allows unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and categories on WordPress sites using the Eyewear prescription form plugin. All WordPress sites with this plugin installed up to version 6.0.1 are affected. Attackers can manipulate product listings without any authentication.

💻 Affected Systems

Products:

WordPress Eyewear prescription form plugin

Versions: All versions up to and including 6.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WooCommerce to be installed and active. The plugin must be enabled and accessible via WordPress admin AJAX endpoints.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers flood the site with fake products, causing inventory management chaos, financial loss from incorrect pricing, SEO damage from malicious content, and potential data corruption requiring full site restoration.

🟠

Likely Case

Attackers create spam products with inappropriate names/prices, disrupting legitimate business operations and requiring manual cleanup of WooCommerce database entries.

🟢

If Mitigated

With proper monitoring, unauthorized product creation is quickly detected and reverted before causing significant business impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests to the vulnerable AJAX endpoint with basic parameters. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Eyewear prescription form' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 6.0.2+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the SubmitCatProductRequest AJAX action

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_SubmitCatProductRequest', 'eyewear_prescription_form_SubmitCatProductRequest'); remove_action('wp_ajax_nopriv_SubmitCatProductRequest', 'eyewear_prescription_form_SubmitCatProductRequest');

Temporarily disable plugin

linux

Deactivate the vulnerable plugin until patched

wp plugin deactivate eyewear-prescription-form

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests to wp-admin/admin-ajax.php with 'action=SubmitCatProductRequest' parameter
Add authentication middleware to verify user capabilities before processing WooCommerce product creation requests

🔍 How to Verify

Check if Vulnerable:

Check if plugin version is 6.0.1 or lower in WordPress admin → Plugins, or run: wp plugin get eyewear-prescription-form --field=version

Check Version:

wp plugin get eyewear-prescription-form --field=version

Verify Fix Applied:

Confirm plugin version is 6.0.2 or higher, and test that unauthenticated POST requests to /wp-admin/admin-ajax.php with action=SubmitCatProductRequest return proper authorization errors

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=SubmitCatProductRequest' from unauthenticated users
Unexpected WooCommerce product creation events in WooCommerce logs
Spike in database insert operations on wp_posts and wp_postmeta tables

Network Indicators:

HTTP POST requests containing parameters: Name, Price, Parent sent to WordPress AJAX endpoint without authentication cookies

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "SubmitCatProductRequest" AND NOT (user_id>0 OR authenticated_user=true)

📊 Metadata

CVE ID: CVE-2025-14366

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: December 13, 2025

Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14366, you might also want to check these: