Overview
CVE-2025-12545 identifies an information exposure vulnerability found in the Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress. This vulnerability affects all versions up to and including 1.49.2. It allows unauthenticated attackers to access sensitive data from password-protected, private, or draft WooCommerce products. This means malicious actors could potentially gain access to product details, pricing, and other confidential information intended only for authorized users or administrators.
Technical Details
The vulnerability resides in the ajax_pmw_get_product_ids() function within the Pixel Manager plugin. Due to insufficient access control restrictions, this function fails to properly validate which products it includes in its response. An unauthenticated attacker can exploit this flaw by sending a crafted AJAX request that triggers the function and retrieves product information without proper authorization. The vulnerable code snippets can be reviewed at:
By bypassing access controls, attackers can effectively circumvent the intended privacy settings of WooCommerce products, leading to the exposure of sensitive business data.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-12545 a score of 5.3, categorizing it as a MEDIUM severity vulnerability. This score reflects the following factors:
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: Low (C:L)
- Integrity Impact: None (I:N)
- Availability Impact: None (A:N)
This means an attacker can remotely exploit the vulnerability without requiring any user interaction or privileges. While the impact is primarily on confidentiality (exposure of sensitive information), it is still a significant risk for WooCommerce store owners.
Possible Impact
The successful exploitation of CVE-2025-12545 can have several negative consequences:
- Exposure of Confidential Product Information: Attackers can access product details, including descriptions, pricing, and other metadata, from products that should be private.
- Competitive Disadvantage: Competitors could gain access to sensitive product information, potentially undermining a store’s market position.
- Data Breach: Although the vulnerability does not allow for direct access to customer data, compromised product information could be used in social engineering attacks or other malicious activities.
- Reputational Damage: If the data exposure becomes public knowledge, it can damage a store’s reputation and erode customer trust.
Mitigation and Patch Steps
The recommended mitigation step is to immediately update the Pixel Manager for WooCommerce plugin to the latest available version. The vulnerability is addressed in versions newer than 1.49.2. You can update the plugin directly from your WordPress dashboard.
If updating is not immediately possible, consider temporarily disabling the Pixel Manager for WooCommerce plugin until you can apply the update. Monitor your website logs for suspicious activity that may indicate an attempted exploitation of this vulnerability.