Executive Summary

CVE-2025-67958 is a medium severity Broken Access Control vulnerability in the TaxCloud for WooCommerce plugin (versions up to 8.3.8). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that should be restricted to higher privileged users. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users to perform privileged actions within the WooCommerce TaxCloud plugin, potentially leading to unauthorized access or manipulation of tax-related data or settings. This poses a moderate risk to the security and integrity of your e-commerce system until the plugin is updated to version 8.4.0 or later where the issue is fixed. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection can be performed by monitoring for unauthorized access attempts or suspicious activity targeting the TaxCloud for WooCommerce plugin, especially attempts to invoke functions without proper authorization. Patchstack provides a rule to block attacks targeting this vulnerability, which can also be used to detect exploitation attempts. Specific commands are not provided in the resources, but enabling Patchstack's monitoring and automatic updates can help detect and prevent exploitation. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the TaxCloud for WooCommerce plugin to version 8.4.0 or later, which includes a fix for the broken access control issue. Additionally, users of Patchstack can enable the provided mitigation rule to block attacks targeting this vulnerability and enable automatic updates for vulnerable plugins to ensure timely protection. [1]

Useful 0 Not Useful 0