CVE-2025-12975 - Vulnerability Details

The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wahid0003	Product Feed For Woocommerce
Wordpress	Wordpress

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417230%40webappick-product-feed-for-woocommerce&new=3417230%40webappick-product-feed-for-woocommerce&sfp_email=&sfph_mail=
https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f77f4cd-f4b3-42bc-a1a9-e5df5daa42b7?source=cve

History

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wahid0003 Wahid0003 product Feed For Woocommerce Wordpress Wordpress wordpress
Vendors & Products		Wahid0003 Wahid0003 product Feed For Woocommerce Wordpress Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.
Title		CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417230%40webappick-product-feed-for-woocommerce&new=3417230%40webappick-product-feed-for-woocommerce&sfp_email=&sfph_mail= https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/ https://www.wordfence.com/threat-intel/vulnerabilities/id/4f77f4cd-f4b3-42bc-a1a9-e5df5daa42b7?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T04:36:10.601Z

Updated: 2026-02-19T04:36:10.601Z

Reserved: 2025-11-10T18:30:18.891Z

Link: CVE-2025-12975

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object