CVE-2025-13314
Unknown Unknown - Not Provided
Unauthorized Settings Modification in WooCommerce Filter Plus Plugin

Publication date: 2025-12-12

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13314
EUVD
EUVD-2025-202969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce filter_plus *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WooCommerce Filter Plus plugin for WordPress (versions up to and including 1.1.5). It is caused by a missing capability check on certain AJAX actions ('filter_save_settings' and 'add_filter_options'), which allows unauthenticated attackers to modify the plugin's settings and create arbitrary filter options without proper authorization.

Impact Analysis

An attacker can exploit this vulnerability to change the plugin's settings and add arbitrary filter options without authentication. This unauthorized modification could lead to unexpected behavior on the website, potentially affecting the user experience or the integrity of product filtering, but it does not directly impact confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, immediately update the WooCommerce – Filter Plus plugin to a version later than 1.1.5 where the missing capability checks on 'filter_save_settings' and 'add_filter_options' AJAX actions are fixed. If an update is not available, restrict access to these AJAX actions by implementing proper capability checks or disabling the plugin until a patch is released.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unauthenticated AJAX requests to the WordPress site targeting the endpoints related to the Filter Plus plugin's AJAX actions: 'filter_save_settings' and 'add_filter_options'. Specifically, look for HTTP POST requests to admin-ajax.php with the action parameter set to either 'filter_save_settings' or 'add_filter_options' coming from unauthenticated users. Example commands to detect such attempts include using curl to test the endpoints or using network monitoring tools to filter such requests. Example curl commands to test the vulnerability (replace example.com with your domain): 1. Check 'filter_save_settings' action: curl -X POST https://example.com/wp-admin/admin-ajax.php -d "action=filter_save_settings" 2. Check 'add_filter_options' action: curl -X POST https://example.com/wp-admin/admin-ajax.php -d "action=add_filter_options" Additionally, you can use tools like tcpdump or Wireshark to filter HTTP POST requests to admin-ajax.php with these action parameters. Monitoring web server logs for POST requests to admin-ajax.php with these actions from unauthenticated IPs can also help detect exploitation attempts. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart