CVE-2025-22285: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Eniture Technology's Pallet Packaging for WooCommerce plugin, affecting versions up to and including 1.1.15. The vulnerability was identified on February 12, 2025, by security researcher LVT-tholv2k and was assigned CVE-2025-22285. The issue stems from missing capability checks in certain plugin functions, potentially allowing unauthorized access to restricted functionality (Patchstack, WPScan).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 base score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The issue specifically relates to broken access control, where the plugin fails to implement proper authorization checks, allowing unauthenticated users to perform actions typically restricted to privileged users (Patchstack).

The vulnerability enables unauthenticated attackers to perform unauthorized actions within the WordPress installation running the affected plugin. This broken access control issue could potentially lead to privilege escalation and unauthorized manipulation of plugin functionality (Patchstack).

The vulnerability has been fixed in version 1.1.16 of the Pallet Packaging for WooCommerce plugin. Users are strongly advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).