Primary

Context

Pixel Manager for WooCommerce Information Exposure Vulnerability

Vulnerability

A vulnerability allowing information exposure has been identified in the Pixel Manager for WooCommerce plugin, specifically in versions through 1.49.2. The issue arises in the ajax_pmw_get_product_ids() function, where inadequate restrictions allow unauthenticated users to access data from password-protected, private, or draft products.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive product information, including data from password-protected, private, or draft products.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress REST API endpoint '/pmw/v1/products/' without proper authentication. Include a 'product_ids' parameter with a comma-separated list of product IDs from password-protected, private, or draft products. The response will include the data from these products, demonstrating the information exposure.

Remediation

Users are advised to update the Pixel Manager for WooCommerce plugin to version 1.49.3 or later.

Added: Nov 18, 2025, 3:55 PM

Updated: Nov 18, 2025, 3:55 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

7.7

relevance

1.1

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

7.7

relevance

1.1

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pixel Manager for WooCommerce Information Exposure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating