CVE-2025-52800: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-52800) was discovered in Unity Business Technology Pty Ltd's The E-Commerce ERP plugin versions through 2.1.1.3. The vulnerability was reported on July 21, 2025, by security researcher ch4r0n. The issue allows accessing functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 7.3 (High). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects confidentiality, integrity, and availability at a low level (Patchstack).

The vulnerability is considered highly dangerous and expected to become mass exploited. It allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks (Patchstack).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Users are advised to implement the virtual patch immediately to protect their systems (Patchstack).