Attack Vectors

High severity (CVSS 7.2) vulnerability CVE-2025-12975 affects Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels (plugin slug: webappick-product-feed-for-woocommerce) in versions <= 6.6.11. The issue enables an authenticated attacker with Shop Manager-level access (or higher) to install arbitrary plugins.

This risk commonly enters through compromised employee credentials, reused passwords, weak access controls for third-party agencies, or over-permissioned user accounts that don’t require Shop Manager privileges for day-to-day work.

Because this weakness can be leveraged toward remote code execution, it should be treated as an urgent business risk—not only a technical defect—especially for organizations relying on WooCommerce for revenue, lead generation, or brand trust.

Security Weakness

The CTX Feed plugin is vulnerable due to a missing authorization (capability) check in the woo_feed_plugin_installing() function, allowing certain authenticated users to perform actions that should be restricted.

In practical terms, this means a user with Shop Manager (or higher) permissions may be able to trigger arbitrary plugin installation without the proper security gate in place. Installing plugins is a powerful administrative action in WordPress and can expand what an attacker can do significantly.

Remediation: Update CTX Feed to version 6.6.12 or newer to address the issue, per the vendor/community guidance and vulnerability reporting source.

Technical or Business Impacts

Operational disruption: If an attacker leverages plugin installation to gain further control, it can lead to website defacement, checkout interruption, malware warnings, or downtime—directly impacting revenue and customer experience.

Data and financial exposure: A successful follow-on compromise may result in unauthorized access to sensitive business information stored in WordPress/WooCommerce. For regulated organizations, this can trigger incident response costs, legal exposure, and reporting obligations.

Brand and trust damage: Marketing teams may face reputational harm if customers encounter compromised pages, suspicious redirects, or security warnings. This can reduce conversion rates and increase paid media inefficiency as traffic quality drops.

Governance and compliance risk: Excessive privileges (e.g., widely assigned Shop Manager roles) and third-party access are common audit findings. This vulnerability increases the impact of those governance gaps and can complicate compliance narratives after an incident.

Similar Attacks

While the details differ, real-world incidents repeatedly show how website access and plugin/theme supply chains can be leveraged for broad impact:

SolarWinds supply-chain compromise (Reuters) demonstrated how trusted software paths can be abused to distribute malicious capabilities at scale.

LockBit ransomware campaigns (CISA/FBI advisory) highlight how attackers turn initial access into operational disruption and financial extortion.

MGM Resorts cyberattack (KrebsOnSecurity) shows how credential compromise and access misuse can cascade into major business interruption.