CVE-2025-31854: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-31854) was discovered in the Simple Sticky Add To Cart For WooCommerce WordPress plugin, affecting versions up to and including 1.4.6. The vulnerability was publicly disclosed on April 1, 2025, and was identified by researcher theviper17y. The issue stems from missing capability checks in the plugin's functionality (WPScan, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The security flaw is characterized by incorrectly configured access control security levels, which fails to properly implement authorization checks on certain functions (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions within the WooCommerce environment. The impact is considered medium severity, primarily affecting the availability of the system while not compromising confidentiality or integrity (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.4.6, and users are advised to implement additional access controls at the application level while waiting for an official patch (Patchstack).