CVE-2025-14357
Unauthorized Data Modification in Mega Store WooCommerce Theme
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misbahwp | mega_store_woocommerce | to 5.9 (inc) |
| woocommerce | mega_store | to 5.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Mega Store Woocommerce theme for WordPress has a vulnerability due to a missing capability check in the setup_widgets() function located in core/includes/importer/whizzie.php. This flaw exists in all versions up to and including version 5.9.
Because of this missing check, authenticated users with Subscriber-level access or higher can exploit the vulnerability to create arbitrary pages and modify site settings without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level authenticated access (Subscriber-level and above) to modify site content and settings arbitrarily.
- Creation of unauthorized pages on the website.
- Modification of site settings without proper permissions.
Such unauthorized changes can lead to defacement, misinformation, or disruption of normal site operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know