{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68025", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:59.034Z", "datePublished": "2026-02-20T15:46:35.764Z", "dateUpdated": "2026-04-28T16:14:26.687Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "addonify-floating-cart", "product": "Addonify Floating Cart For WooCommerce", "vendor": "Addonify", "versions": [{"lessThanOrEqual": "1.2.17", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:24.164Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17.</p>"}], "value": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.687Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/addonify-floating-cart/vulnerability/wordpress-addonify-floating-cart-for-woocommerce-plugin-1-2-17-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Addonify Floating Cart For WooCommerce plugin <= 1.2.17 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:02:52.535535Z", "id": "CVE-2025-68025", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:28:34.964Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T20:02:52.535535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:02:05.658Z"}}], "cna": {"title": "WordPress Addonify Floating Cart For WooCommerce plugin <= 1.2.17 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Addonify", "product": "Addonify Floating Cart For WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.17"}], "packageName": "addonify-floating-cart", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:24.164Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/addonify-floating-cart/vulnerability/wordpress-addonify-floating-cart-for-woocommerce-plugin-1-2-17-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.687Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68025", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:26.687Z", "dateReserved": "2025-12-15T10:00:59.034Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:35.764Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Addonify Floating Cart For WooCommerce: desde n/a hasta &lt;= 1.2.17."}], "id": "CVE-2025-68025", "lastModified": "2026-04-27T19:16:22.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:07.657", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/addonify-floating-cart/vulnerability/wordpress-addonify-floating-cart-for-woocommerce-plugin-1-2-17-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Addonify Floating Cart For WooCommerce", "source": "cna", "vendor": "Addonify"}, "product": "addonify_floating_cart_for_woocommerce", "vendor": "addonify"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:39:48.653483+00:00", "value": {"mitigation_remediation": ["Update the Addonify Floating Cart For WooCommerce plugin to a version that contains the fix for the missing authorization flaw, once it is released by the vendor.", "Confirm that only users with appropriate WordPress capabilities (e.g., manage_options) can access the plugin\u2019s settings page; adjust role permissions if necessary.", "If an update is not immediately possible, temporarily restrict access to the plugin\u2019s administrative endpoints using server\u2011level rules such as .htaccess or Nginx directives, or a WordPress role\u2011based access control plugin to block non\u2011administrator users from reaching the vulnerable pages."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to privileged plugin functionality"}, "threat_synthesis": {"affected_systems": "The Addonify Floating Cart For WooCommerce plugin version 1.2.17 and earlier is affected. All installations of the plugin that rely on its default or incorrectly configured access\u2011level settings are susceptible, regardless of the WordPress site or hosting environment.", "description_and_impact": "A missing authorization flaw in the Addonify Floating Cart For WooCommerce plugin enables an attacker to bypass the plugin\u2019s access\u2011control checks and reach configuration pages or functionality that should be limited to administrators. The weakness is classified as CWE\u2011862, indicating role\u2011based access control is not enforced. Based on the description, it is inferred that an attacker who can authenticate as a WordPress user with limited permissions could exploit the flaw to modify the plugin\u2019s settings or invoke features intended for higher\u2011privilege users.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating medium severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the wild and the issue is not listed in CISA\u2019s KEV catalog. The likely attack vector is via the plugin\u2019s administrative interface, where a user can submit requests that the system incorrectly accepts as authorized. The risk is that an attacker could alter cart behavior or expose sensitive data associated with the shopping experience."}}}}, "created": "2026-02-23T14:45:47.690138+00:00", "updated": "2026-04-28T17:45:16.136263+00:00", "vendors": ["addonify", "addonify$PRODUCT$addonify_floating_cart_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}