CVE-2025-47463: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-47463) was discovered in Fahad Mahmood Stock Locations for WooCommerce plugin affecting versions through 2.8.6. The vulnerability was disclosed on June 4, 2025, and received a CVSS v3.1 base score of 7.1 (HIGH). This security issue is classified as a Broken Access Control vulnerability that stems from incorrectly configured access control security levels (Wiz, NVD).

The vulnerability is classified under CWE-862 (Missing Authorization) and features a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. This indicates that the vulnerability is network accessible with low attack complexity, requires low privileges, and needs no user interaction. The technical assessment shows no impact on confidentiality, low impact on integrity, and high impact on availability (Patchstack).

The vulnerability enables attackers with subscriber-level privileges to perform unauthorized actions on the affected systems. According to the CVSS scoring, while there is no confidentiality impact, the vulnerability presents a low integrity impact and high availability impact on the affected systems (Wiz).

The vulnerability has been addressed in version 2.8.7 of the Stock Locations for WooCommerce plugin. Users are strongly advised to update to this version or later immediately. For users unable to perform immediate updates, Patchstack has implemented a virtual patch to mitigate potential attacks (Wiz).