CVE-2025-66089 – This vulnerability allows unauthorized users to... (How to Fix)

Q: How do I fix CVE-2025-66089?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Product Feed for WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.3.2+ from WordPress repository and manually update.

Q: What is the severity of CVE-2025-66089?

CVE-2025-66089 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows unauthorized users to access functionality intended only for authenticated administrators in the WebToffee Product Feed for WooCommerce plugin. It affects all WordPress sites running the plugin version 2.3.1 or earlier. Attackers could potentially modify product feed settings without proper authorization.

📋 TL;DR

This vulnerability allows unauthorized users to access functionality intended only for authenticated administrators in the WebToffee Product Feed for WooCommerce plugin. It affects all WordPress sites running the plugin version 2.3.1 or earlier. Attackers could potentially modify product feed settings without proper authorization.

💻 Affected Systems

Products:

WebToffee Product Feed for WooCommerce

Versions: <= 2.3.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could modify product feed configurations, potentially disrupting e-commerce operations, injecting malicious content into product feeds, or accessing sensitive product data.

🟠

Likely Case

Unauthorized users could alter product feed settings, causing incorrect product listings on external platforms like Google Shopping or Facebook Marketplace.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized administrators could modify product feed settings, limiting impact to configuration changes.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability affects a WooCommerce plugin used on public e-commerce sites.

🏢 Internal Only: LOW - This is primarily an internet-facing vulnerability affecting WordPress plugins on public websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires understanding of WordPress plugin structure but doesn't require advanced technical skills once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Product Feed for WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.3.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate webtoffee-product-feed

Restrict Admin Access

linux

Implement IP whitelisting for WordPress admin area

Add to .htaccess: Order Deny,Allow\nDeny from all\nAllow from 192.168.1.0/24

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized configuration changes
Use web application firewall rules to block suspicious requests to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Product Feed for WooCommerce' version <= 2.3.1

Check Version:

wp plugin get webtoffee-product-feed --field=version

Verify Fix Applied:

Verify plugin version is 2.3.2 or higher in WordPress admin plugins page

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with product feed related actions
Unexpected modifications to product feed settings in WordPress database

Network Indicators:

Unusual requests to product feed endpoints from non-admin IP addresses
Patterns of requests attempting to access admin-only plugin functionality

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action CONTAINS "webtoffee" AND user_role!="administrator")

📊 Metadata

CVE ID: CVE-2025-66089

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-862

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: November 21, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66089, you might also want to check these: