CVE-2025-14173
Unknown Unknown - Not Provided
Missing Authorization in Perfit WooCommerce Plugin Allows Settings Deletion

Publication date: 2026-01-14

Last updated on: 2026-01-14

Assigner: Wordfence

Description
The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-14
Last Modified
2026-01-14
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14173
EUVD
EUVD-2026-2532
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perfit woocommerce to 1.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Perfit WooCommerce plugin for WordPress is a Missing Authorization issue affecting all versions up to and including 1.0.1. It occurs because the `logout` function, which is called via the `actions` function hooked to the `admin_init` action, lacks proper authorization checks. This flaw allows unauthenticated attackers to delete arbitrary plugin settings by manipulating the `action` parameter, specifically by triggering the logout action without proper permissions. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to delete arbitrary settings of the Perfit WooCommerce plugin. This could disrupt the plugin's configuration, potentially causing loss of important settings such as API keys or account information, which may affect the plugin's functionality and your WooCommerce store's operations. [1]

Detection Guidance

You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the WordPress admin interface that include the 'action=logout' parameter without proper authentication. Specifically, look for GET requests to the admin area with 'action=logout' in the query string. For example, using command-line tools, you can search your web server logs for such requests with commands like: `grep 'action=logout' /var/log/apache2/access.log` or `grep 'action=logout' /var/log/nginx/access.log`. Additionally, monitoring for unauthorized POST requests attempting to save settings without proper user privileges may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Perfit WooCommerce plugin to a version later than 1.0.1 where the missing authorization checks on the logout function are fixed. If an update is not immediately available, restrict access to the WordPress admin area to trusted IP addresses and ensure that proper authentication and authorization controls are enforced. Additionally, monitor and block unauthenticated requests attempting to invoke the 'logout' action via the 'action' parameter. Applying web application firewall (WAF) rules to block such unauthorized requests can also help mitigate the risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart