CVE-2025-14365

medium

Description

The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve

https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74

https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326

Details

Source: Mitre, NVD

Published: 2025-12-13

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00034