CVE-2025-14173
Unknown Unknown - Not Provided

Missing Authorization in Perfit WooCommerce Plugin Allows Settings Deletion

Vulnerability report for CVE-2025-14173, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-14

Last updated on: 2026-01-14

Assigner: Wordfence

Description

The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-14
Last Modified
2026-01-14
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perfit woocommerce to 1.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the Perfit WooCommerce plugin for WordPress is a Missing Authorization issue affecting all versions up to and including 1.0.1. It occurs because the `logout` function, which is called via the `actions` function hooked to the `admin_init` action, lacks proper authorization checks. This flaw allows unauthenticated attackers to delete arbitrary plugin settings by manipulating the `action` parameter, specifically by triggering the logout action without proper permissions. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to delete arbitrary settings of the Perfit WooCommerce plugin. This could disrupt the plugin's configuration, potentially causing loss of important settings such as API keys or account information, which may affect the plugin's functionality and your WooCommerce store's operations. [1]

Detection Guidance

You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the WordPress admin interface that include the 'action=logout' parameter without proper authentication. Specifically, look for GET requests to the admin area with 'action=logout' in the query string. For example, using command-line tools, you can search your web server logs for such requests with commands like: `grep 'action=logout' /var/log/apache2/access.log` or `grep 'action=logout' /var/log/nginx/access.log`. Additionally, monitoring for unauthorized POST requests attempting to save settings without proper user privileges may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Perfit WooCommerce plugin to a version later than 1.0.1 where the missing authorization checks on the logout function are fixed. If an update is not immediately available, restrict access to the WordPress admin area to trusted IP addresses and ensure that proper authentication and authorization controls are enforced. Additionally, monitor and block unauthenticated requests attempting to invoke the 'logout' action via the 'action' parameter. Applying web application firewall (WAF) rules to block such unauthorized requests can also help mitigate the risk. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart