Search criteria
4 vulnerabilities by dugudlabs
CVE-2025-14365 (GCVE-0-2025-14365)
Vulnerability from cvelistv5 – Published: 2025-12-13 04:31 – Updated: 2025-12-15 15:33
VLAI?
Title
Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion
Summary
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dugudlabs | Eyewear prescription form |
Affected:
* , ≤ 6.0.1
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Powpy
Peerapat Samatathanyakorn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:24:58.049913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:33:29.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eyewear prescription form",
"vendor": "dugudlabs",
"versions": [
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Powpy"
},
{
"lang": "en",
"type": "finder",
"value": "Peerapat Samatathanyakorn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the \u0027catIds\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-13T04:31:31.757Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T16:04:36.000+00:00",
"value": "Disclosed"
}
],
"title": "Eyewear prescription form \u003c= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14365",
"datePublished": "2025-12-13T04:31:31.757Z",
"dateReserved": "2025-12-09T18:23:53.612Z",
"dateUpdated": "2025-12-15T15:33:29.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14366 (GCVE-0-2025-14366)
Vulnerability from cvelistv5 – Published: 2025-12-13 04:31 – Updated: 2025-12-15 15:34
VLAI?
Title
Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation
Summary
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the 'Name', 'Price', and 'Parent' parameters.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dugudlabs | Eyewear prescription form |
Affected:
* , ≤ 6.0.1
(semver)
|
Credits
Athiwat Tiprasaharn
Waris Damkham
Varakorn Chanthasri
Sopon Tangpathum (SoNaJaa)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:25:13.101119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:34:37.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eyewear prescription form",
"vendor": "dugudlabs",
"versions": [
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
},
{
"lang": "en",
"type": "finder",
"value": "Varakorn Chanthasri"
},
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the \u0027Name\u0027, \u0027Price\u0027, and \u0027Parent\u0027 parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-13T04:31:21.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f21d7a2-3b4f-487f-a64a-b963427233b3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L369"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T16:04:31.000+00:00",
"value": "Disclosed"
}
],
"title": "Eyewear prescription form \u003c= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14366",
"datePublished": "2025-12-13T04:31:21.377Z",
"dateReserved": "2025-12-09T18:25:35.241Z",
"dateUpdated": "2025-12-15T15:34:37.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23973 (GCVE-0-2025-23973)
Vulnerability from cvelistv5 – Published: 2025-06-27 11:52 – Updated: 2025-06-27 13:43
VLAI?
Title
WordPress SpecFit-Virtual Try On Woocommerce plugin <= 7.0.6 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dugudlabs | SpecFit-Virtual Try On Woocommerce |
Affected:
n/a , ≤ 7.0.6
(custom)
|
Credits
HLog (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T12:43:02.606698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:43:16.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "try-on-for-woocommerce",
"product": "SpecFit-Virtual Try On Woocommerce",
"vendor": "dugudlabs",
"versions": [
{
"lessThanOrEqual": "7.0.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HLog (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T11:52:11.272Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/try-on-for-woocommerce/vulnerability/wordpress-specfit-virtual-try-on-woocommerce-7-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress SpecFit-Virtual Try On Woocommerce plugin \u003c= 7.0.6 - Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-23973",
"datePublished": "2025-06-27T11:52:11.272Z",
"dateReserved": "2025-01-16T11:33:14.049Z",
"dateUpdated": "2025-06-27T13:43:16.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54239 (GCVE-0-2024-54239)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2024-12-13 18:59
VLAI?
Title
WordPress Eyewear prescription form plugin <= 4.0.18 - Arbitrary Option Update to Privilege Escalation vulnerability
Summary
Missing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through 4.0.18.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dugudlabs | Eyewear prescription form |
Affected:
n/a , ≤ 4.0.18
(custom)
|
Credits
Mika (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:58:48.521184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:59:11.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "eyewear-prescription-form",
"product": "Eyewear prescription form",
"vendor": "dugudlabs",
"versions": [
{
"changes": [
{
"at": "4.0.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.0.18",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.\u003c/p\u003e\u003cp\u003eThis issue affects Eyewear prescription form: from n/a through 4.0.18.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through 4.0.18."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:24:33.278Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/eyewear-prescription-form/vulnerability/wordpress-eyewear-prescription-form-plugin-4-0-18-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No patched version is available. No reply from the vendor."
}
],
"value": "No patched version is available. No reply from the vendor."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Eyewear prescription form plugin \u003c= 4.0.18 - Arbitrary Option Update to Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54239",
"datePublished": "2024-12-13T14:24:33.278Z",
"dateReserved": "2024-12-02T12:03:27.470Z",
"dateUpdated": "2024-12-13T18:59:11.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}