Security Alert Summary
The Perfit WooCommerce plugin for WordPress contains a missing authorization vulnerability that affects all versions up to and including 1.0.1. Because authorization checks are not performed on a logout routine invoked via an actions handler hooked to admin_init, unauthenticated requests can trigger deletion of plugin settings via the action parameter.
CVE Details
- CVE ID: CVE-2025-14173
- Affected plugin / component: Perfit WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 1.0.1
- Published: January 14, 2026 at 7:16:11 AM
- Last modified: January 14, 2026 at 4:25:12 PM
- CVSS v3.1: Base Score 5.3 — MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE (unauthenticated)
- User Interaction: NONE
- Scope: UNCHANGED
- Authentication / privileges / user interaction: No authentication required; no user interaction needed.
- Primary impact:
- Confidentiality: NONE
- Integrity: LOW (ability to delete plugin settings)
- Availability: NONE
- CWE / Weakness: CWE-862 (Missing Authorization)
- Fixed version: Not specified in the CVE entry.
Technical Details
The vulnerability is a missing authorization check. The plugin calls a logout function via an actions function that is hooked to admin_init. Because the code does not verify whether the requester is authorized to perform the operation, an unauthenticated attacker can supply an action parameter that causes deletion of plugin settings.
Named elements from the advisory include the logout function, the actions handler, and the admin_init hook. The root cause is absence of an authorization gate around the operation that modifies plugin state, allowing remote, unauthenticated requests to trigger configuration changes.
The impact is limited to integrity (deletion of plugin settings). The CVE does not indicate disclosure of sensitive data or direct availability impacts; it specifically identifies the ability to remove or alter plugin configuration via the action parameter.
How This Could Impact Your Website
Consider a small WooCommerce site with a site owner, an internal staff member who manages products, and an external contractor who performs occasional plugin maintenance. An attacker who can send requests to the site could target the vulnerable endpoint and remove Perfit plugin settings without logging in. That could disable or misconfigure plugin behavior — for example, breaking storefront integrations, payment-related settings, or feature toggles — and require time to diagnose and restore the correct configuration.
Because confidentiality impact is listed as NONE, this issue does not describe direct exposure of customer data in the CVE entry. The primary practical consequence is loss or alteration of plugin configuration, which can interrupt normal site operations and increase administrative overhead to recover settings.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Until a patch is applied, review and reduce unnecessary user roles and capabilities—especially for contributors or accounts that can affect plugin settings.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual requests that reference plugin actions or unexpected configuration changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102
- https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve
