CVE-2025-11741
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: Wordfence

Description
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosq_quickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11741
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
woocommerce wpc_smart_quick_view 4.2.6
wordpress wordpress 6.8
woocommerce wpc_smart_quick_view 4.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WPC Smart Quick View for WooCommerce plugin allows unauthenticated attackers to access data from password protected, private, or draft products via the 'woosq_quickview' AJAX endpoint. This happens because the plugin does not properly restrict which posts can be included, enabling attackers to extract sensitive product information they should not have access to.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive product information, including data from password protected, private, or draft products. This exposure could harm your business by leaking confidential product details to attackers without requiring authentication, potentially impacting your competitive advantage or customer trust.

Detection Guidance

This vulnerability can be detected by attempting to access the 'woosq_quickview' AJAX endpoint on a WordPress site running the WPC Smart Quick View plugin version 4.2.5 or earlier. Specifically, an unauthenticated request to this endpoint with a product ID parameter may expose data from password protected, private, or draft products. Monitoring network traffic for requests to the 'woosq_quickview' AJAX endpoint or scanning for the plugin version can help detect potential exploitation. However, no specific commands are provided in the available resources. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WPC Smart Quick View plugin to version 4.2.6 or later. This update includes enhanced permission checks that ensure only authorized users can access product data via the 'woosq_quickview' AJAX endpoint, preventing unauthorized information exposure. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart