CVE-2025-12975 in CTX Feed Plugin
Summary
by MITRE • 02/19/2026
The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability in the CTX Feed – WooCommerce Product Feed Manager plugin represents a critical authorization flaw that undermines the security model of WordPress installations. This issue stems from the absence of proper capability verification within the woo_feed_plugin_installing() function, which is designed to handle plugin installation operations. The flaw affects all versions up to and including 6.6.11, creating a persistent security risk across a wide range of plugin deployments. The vulnerability specifically targets the plugin's installation mechanism, which should only be accessible to users with appropriate administrative privileges but instead allows unauthorized access through a missing capability check.
The technical implementation of this vulnerability exploits the lack of permission validation in the plugin installation endpoint, enabling authenticated attackers who possess Shop Manager level access or higher to bypass normal security controls. This capability check failure creates a path for privilege escalation attacks where malicious actors can leverage their existing access rights to install arbitrary plugins onto the target system. The vulnerability's impact is amplified by the fact that plugin installations in WordPress environments can potentially execute arbitrary code, making this a vector for remote code execution attacks. The flaw operates at the application level, specifically within the plugin's administrative interface, where it should enforce strict access controls but fails to do so.
The operational implications of this vulnerability extend beyond simple unauthorized plugin installations, creating a significant attack surface that can be exploited for more sophisticated compromise techniques. Attackers can install malicious plugins that may contain backdoors, malware, or other exploitative code that persists beyond the initial compromise. This vulnerability aligns with CWE-863, which addresses "Incorrect Authorization" issues where access control mechanisms fail to properly validate user permissions. The security implications are particularly severe in e-commerce environments where WooCommerce stores often contain sensitive customer data and transactional information. The vulnerability can be leveraged as part of broader attack chains, potentially leading to full system compromise or data exfiltration.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the missing capability check. System administrators should implement the principle of least privilege, ensuring that users with Shop Manager access or higher are strictly monitored and that access controls are properly configured. The ATT&CK framework categorizes this vulnerability under T1190 "Exploit Public-Facing Application" and T1059.001 "Command and Scripting Interpreter" as it enables attackers to execute arbitrary code through plugin installation. Organizations should also implement network monitoring to detect unusual plugin installation activities and consider implementing web application firewalls to block suspicious installation requests. Regular security audits of installed plugins and their capabilities are essential to prevent similar issues from occurring in other components of the WordPress ecosystem.